# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #--------------- # DELETED RULES #--------------- # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.6.0"; fast_pattern:only; content:".definition("; nocase; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23304; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.5.0"; fast_pattern:only; content:".definition"; nocase; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23301; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.4.0"; fast_pattern:only; content:".definition"; nocase; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23298; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"Msxml2.FreeThreadedDOMDocument.3.0"; fast_pattern:only; content:".definition"; nocase; reference:cve,2012-1889; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-043; classtype:attempted-user; sid:23293; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:to_client,established; file_data; content:"<"; content:"onmousedown"; within:24; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^\n\s>]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17516; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:to_client,established; file_data; content:"<"; content:"onmouseup"; within:22; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^\n\s>]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17514; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:to_client,established; file_data; content:"<"; content:"onclick"; within:20; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^\n\s>]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17513; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt"; flow:to_client,established; file_data; content:"<"; content:"onload"; within:19; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^\n\s>]|\(|\))*\s*){21}/Rmi"; reference:bugtraq,17131; reference:cve,2006-1245; classtype:attempted-user; sid:17515; rev:14;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer malformed object type buffer overflow attempt"; flow:to_client,established; file_data; content:"object"; nocase; content:"type"; within:50; nocase; pcre:"/object[^>]*type\s*=\s*[\x22\x27][^\x22\x27]*[^\x00-\x7f]/i"; classtype:attempted-user; sid:41717; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS ShockwaveFlash.ShockwaveFlash ActiveX function call access"; flow:to_client,established; file_data; content:"ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22ShockwaveFlash\.ShockwaveFlash\x22|\x27ShockwaveFlash\.ShockwaveFlash\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*navigateToURL\s*|.*?(?P=v)\s*\.\s*navigateToURL\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ShockwaveFlash\.ShockwaveFlash\x22|\x27ShockwaveFlash\.ShockwaveFlash\x27)\s*\)(\s*\.\s*navigateToURL\s*|.*?(?P=n)\s*\.\s*navigateToURL\s*)\s*\(/smi"; reference:cve,2007-6244; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2; reference:url,www.adobe.com/support/security/bulletins/apsb07-20.html; classtype:attempted-user; sid:13216; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED CONTENT-REPLACE AIM or ICQ deny login for unencrypted connection"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15421; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access"; flow:established,to_server; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern:only; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3B92104-B5A7-11D0-A37F-00A0248F0AF1\s*}?\s*(?P=q1)(\s|>|\x2F).*(?P=id1)\s*\.\s*(CopyToFile)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3B92104-B5A7-11D0-A37F-00A0248F0AF1\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>|\x2F).*(?P=id2)\.(CopyToFile))/siO"; reference:url,osvdb.org/show/osvdb/85059; classtype:attempted-user; sid:29101; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS HP Application Lifecycle Management XGO.XGoCtrl ActiveX clsid access"; flow:established,to_client; file_data; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; fast_pattern:only; pcre:"/((?P\w+)\s*\.\s*CopyToFile\([^)]*?([a-z]:\\\\?|\.\.).*]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id1)(?P=m1)(\s|>|\x2F)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3B92104-B5A7-11D0-A37F-00A0248F0AF1\s*}?(?P=q1)|(?P\w+)\.CopyToFile\([^)]*?([a-z]:\\\\?|\.\.).*]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3B92104-B5A7-11D0-A37F-00A0248F0AF1\s*}?\s*(?P=q2)(\s|>|\x2F)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P=id2)(?P=m2)(\s|>|\x2F))/smiO"; reference:url,osvdb.org/show/osvdb/85059; classtype:attempted-user; sid:29099; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain guest-access.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|guest-access|03|net|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23799; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain secuurity.net - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|secuurity|03|net|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23803; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gowin7.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gowin7|03|com|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23804; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dotnetadvisor.info - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|dotnetadvisor|04|info|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23800; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bestcomputeradvisor.com - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23801; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mysundayparty.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mysundayparty|03|com|00|"; fast_pattern:only; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21049; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain prettylikeher.com - Sykipot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|prettylikeher|03|com|00|"; fast_pattern:only; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21048; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain autosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|autosync|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23024; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnsupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsupdate|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23028; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pingserver.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pingserver|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23034; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain localgateway.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|localgateway|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23030; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnsportal.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dnsportal|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23027; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain traffic-spot.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|com|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23020; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syncdomain.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncdomain|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23036; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnsmask.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsmask|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23026; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain traffic-spot.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|traffic-spot|03|biz|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23021; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnslocation.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dnslocation|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23025; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|02|su|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailed-analysis.aspx; classtype:trojan-activity; sid:24034; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reslove-dns.com - Dorifel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reslove-dns|03|com|00|"; fast_pattern:only; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24146; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain openssh.info - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|openssh|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25555; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain linuxrepository.org - UNIX.Trojan.SSHDoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|linuxrepository|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/EBFD9354ED83635ED38BD117B375903F9984A18780EF86DBF7A642FC6584271C/analysis/; classtype:trojan-activity; sid:25554; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain taqyhucoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taqyhucoka|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25719; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moqawowyti.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|moqawowyti|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25707; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fihyqukapy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fihyqukapy|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25696; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qecytylohozariw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qecytylohozariw|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25712; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xohuhynevepeqyv.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xohuhynevepeqyv|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25726; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vesufopodu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vesufopodu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25721; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dixegocixa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dixegocixa|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25692; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zykuxykevu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zykuxykevu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25728; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kyqehurevynyryk.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kyqehurevynyryk|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25702; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain facesystem.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facesystem|02|in|00|"; fast_pattern:only; classtype:trojan-activity; sid:25739; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain degupydoka.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|degupydoka|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25690; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fenemusemy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fenemusemy|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25695; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qokimusanyveful.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|qokimusanyveful|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25713; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zuhokasyku.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|zuhokasyku|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25727; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loqytylukykiruf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|loqytylukykiruf|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25704; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hiveqemyrehinex.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|hiveqemyrehinex|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25701; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain relusibeci.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|relusibeci|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25716; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain diconybomo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diconybomo|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25691; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain decogonuwy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|decogonuwy|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25689; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vujygijehu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vujygijehu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25722; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain musututefu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|musututefu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25708; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain negenezepu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|negenezepu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25710; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wezadifiha.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wezadifiha|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25724; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lujuhijalu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lujuhijalu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25705; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rulerykozu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rulerykozu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25717; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fyzuvejemuxoqiw.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fyzuvejemuxoqiw|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25698; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain superstarsinfo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|superstarsinfo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25762; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qudevyfiqa.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qudevyfiqa|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25714; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gybejajehekyfet.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|gybejajehekyfet|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25700; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vyzefykeno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vyzefykeno|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25723; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cefimoqicy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cefimoqicy|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25686; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain covyqileju.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|covyqileju|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25688; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gecadutolu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gecadutolu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25699; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mysotonego.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mysotonego|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25709; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fegufidaty.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fegufidaty|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25694; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain luxohygity.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|luxohygity|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25706; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sygonugeze.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sygonugeze|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25718; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain updete.servehttp.com - Win.Trojan.Jimpime"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|updete|09|servehttp|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25624; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xatawihuvo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xatawihuvo|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25725; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fokizireheceduf.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|fokizireheceduf|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25697; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain winnerfree.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|winnerfree|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25763; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pyziviziny.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pyziviziny|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25711; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bahufykyby.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bahufykyby|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25684; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain allsearchforyou.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|allsearchforyou|02|in|00|"; fast_pattern:only; classtype:trojan-activity; sid:25730; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain favomavene.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|favomavene|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25693; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tebejoturu.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tebejoturu|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25720; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lofyjisoxo.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lofyjisoxo|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25703; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain famouspeopleinformation.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|17|famouspeopleinformation|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25741; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cohehonyhe.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cohehonyhe|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25687; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain basewibuxenagip.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|basewibuxenagip|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25685; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain radohowexehedun.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|radohowexehedun|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25715; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigasbh.org|03|org"; fast_pattern:only; classtype:trojan-activity; sid:26401; rev:4;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; fast_pattern:only; classtype:trojan-activity; sid:26402; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; fast_pattern:only; classtype:trojan-activity; sid:26405; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|suppp|0C|cantvenlinea|03|biz|00|"; fast_pattern:only; classtype:trojan-activity; sid:26396; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|d1js21szq85hyn|0A|cloudfront|03|net"; fast_pattern:only; classtype:trojan-activity; sid:26554; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; fast_pattern:only; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; fast_pattern:only; content:"|03|ns"; content:"|0F|"; within:2; content:"theimageparlour|03|net|00|"; within:20; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kukutrustnet777.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|info|00|"; fast_pattern:only; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26920; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trafficconverter.biz - ChronoPay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|biz|00|"; fast_pattern:only; reference:url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331; classtype:trojan-activity; sid:26918; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bigmack.opendns.be - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|02|be|00|"; fast_pattern:only; reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3; classtype:trojan-activity; sid:26917; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; fast_pattern:only; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; fast_pattern:only; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; fast_pattern:only; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; fast_pattern:only; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain restless.su - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; fast_pattern:only; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mainenbha.com - Win.Kraziomel Trojan"; flow:to_server; content:"|09|mainenbha|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27535; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftp.sigmasolutions.gr - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0E|sigmasolutions|02|gr|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27564; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain keurslager-demeulder.be - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|keurslager-demeulder|02|be|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27563; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain myimpactblog.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myimpactblog|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27561; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hidatabase.cn - Worm.Silly"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hidatabase|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27632; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:27628; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.xxuz.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|04|xxuz|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27627; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:27626; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:27625; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|wolfvr|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:27707; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rr.nu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|rr|02|nu"; fast_pattern:only; classtype:trojan-activity; sid:27812; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kitchenwalla.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kitchenwalla|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27946; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wsysinfonet.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wsysinfonet|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27979; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain statinfo.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|statinfo|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:27978; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nmbc.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nmbc|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:27973; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tohk5ja.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tohk5ja|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:27972; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rvbwtbeitwjeitv.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|rvbwtbeitwjeitv|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/518F0795D97037A9A7F10D4BBDACF6BAE18E3F39105AF7130F5A4C5A839275/analysis/; classtype:trojan-activity; sid:28060; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rterybrstutnrsbberve.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|rterybrstutnrsbberve|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/518F0795D97037A9A7F10D4BBDACF6BAE18E3F39105AF7130F5A4C5A839275/analysis/; classtype:trojan-activity; sid:28059; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain erwbtkidthetcwerc.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|erwbtkidthetcwerc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/518F0795D97037A9A7F10D4BBDACF6BAE18E3F39105AF7130F5A4C5A839275/analysis/; classtype:trojan-activity; sid:28058; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hy.micrsofts.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"hy|09|micrsofts|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/70cce6ade7b227044a71573cd247b0d5179bd1948a3746c698e58a6f092e0e12/analysis/; classtype:trojan-activity; sid:28104; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kartmanscript.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|kartmanscript|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ed697a320665204f7d0393252545f40656e46e11a02808676781eb8ca5a135ad/analysis/; classtype:trojan-activity; sid:28085; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain- Win.Vobfus worm variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0A|boxonline"; fast_pattern:only; pcre:"/\x03ns1\x0aboxonline[\x31-\x33]\x03(com|net|org)\x00/"; reference:url,www.virustotal.com/en/file/451318847bae50e855299a1878d9cbd74e7467bfff8df396e886732254fc3ade/analysis/1380827494/; classtype:trojan-activity; sid:28193; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bo0keego.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bo0keego|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28188; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eegeingo.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|eegeingo|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28186; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xstats.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|xstats|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28183; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zstats.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|zstats|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28182; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aenaethi.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|aenaethi|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28180; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sysinfo.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sysinfo|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28177; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oonucoog.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|oonucoog|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28176; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ahthuvuz.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ahthuvuz|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28174; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wahemah.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|wahemah|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28172; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain guodeira.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|guodeira|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28171; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wownthing.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wownthing|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28169; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eilahcha.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|eilahcha|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28167; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ircd.myz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ircd|03|myz|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:28253; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request ghjgf.info - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|ghjgf|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28296; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request www.1860tour.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|1860tour|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28295; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request www.akwm139.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|akwm139|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28294; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request www.xiaopijia.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|xiaopijia|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28293; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chickenkiller.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|chickenkiller|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/chickenkiller.com/information/; classtype:trojan-activity; sid:28283; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 8800.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|8800|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:28327; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain goobzo.com - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|goobzo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28404; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tx.com.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tx|03|com|02|cn"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28400; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lovesyr.sytes.net - Win.Worm Dunhihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|lovesyr|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89c86662bad9201913c5317f6e3e7841d9/analysis/; classtype:trojan-activity; sid:28539; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.freepds.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|freepds|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/freepds.com/information/; reference:url,www.virustotal.com/en/file/5a153fcf10cc54f699776a5f06df7554dab034e112f4c7451a4f11d4894dc6b3/analysis/; classtype:trojan-activity; sid:28829; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain download.freepds.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|download|07|freepds|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/download.freepds.com/information/; reference:url,www.virustotal.com/en/file/5a153fcf10cc54f699776a5f06df7554dab034e112f4c7451a4f11d4894dc6b3/analysis/; classtype:trojan-activity; sid:28828; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hi.mybro.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|hi|05|mybro|03|biz|00|"; fast_pattern:only; reference:url,www.arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf; classtype:trojan-activity; sid:28892; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fenhelua.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fenhelua|03|com"; fast_pattern:only; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; classtype:trojan-activity; sid:28959; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request to suspicious domain ns1.pollosm.me.uk - Win.Trojan.Bunitu.G"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|07|pollosm|02|me|02|uk|00|"; fast_pattern:only; classtype:trojan-activity; sid:28953; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request to suspicious domain ns0.pollosm.me.uk - Win.Trojan.Bunitu.G"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns0|07|pollosm|02|me|02|uk|00|"; fast_pattern:only; classtype:trojan-activity; sid:28952; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain comebacktopapa.xicp.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|comebacktopapa|04|xicp|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/34d20db5a3e9b452dee28e7dd7349956f665a74dc7857b0ccd2f0ec19f28d66f/analysis/; classtype:trojan-activity; sid:29015; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.moderntip.com.tr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|moderntip|03|com|02|tr|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/46713474c7b1cf3f90756e9c0dcec74f8f87fb3958152ce4835523f703c1689b/analysis/; classtype:trojan-activity; sid:29132; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jiang-zem.in - Win.Trojan.Zeus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|jiang-zem|02|in|00|"; fast_pattern:only; classtype:trojan-activity; sid:29126; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 666t.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|666t|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fadbf5d8176216d1cb23ea29f2fbcb502a935f36ca16d0d9608512494b3615ee/analysis/; classtype:trojan-activity; sid:29107; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a01.jackposegood.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|a01|0C|jackposegood|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1d5e25ac575b385b914b5c8d2cddbec78b3f613d1ba44fe452ad82d3d016538f/analysis/; classtype:trojan-activity; sid:29083; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware ftp.nirnbuzz.ugig.ir"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|08|nirnbuzz|04|ugig|02|ir|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3d11133b69a72f1cb9d1ee5c33c9ffe442b654a14e901654c79bcf2250d29bbf/analysis/; classtype:trojan-activity; sid:29080; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.sxpfxb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|sxpfxb|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/80b1e7c967bc4634e4eaf3d8501c357e629e7df06ca76987e06090a63bc2489c/analysis/; classtype:trojan-activity; sid:29178; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain netbar.asys.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|netbar|04|asys|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/80b1e7c967bc4634e4eaf3d8501c357e629e7df06ca76987e06090a63bc2489c/analysis/; classtype:trojan-activity; sid:29177; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain allnewsmedia.webatu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|allnewsmedia|06|webatu|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29173; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lovecatalog.comlu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|yourssagregator|05|comlu|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29172; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yourssagregator.comlu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|lovecatalog|05|comlu|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29171; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yomboum.comlu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|yomboum|05|comlu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29151; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wut.mophecfbr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wut|09|mophecfbr|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/8495ea2ed9f8ce75da1f0390a290d0a4dc5ddf9d882794d75f293825d03c51fe/analysis/; classtype:trojan-activity; sid:29144; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain trasbaiana.web102.f1.k8.com.br"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|trasbaiana|06|web102|02|f1|02|k8|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5634b5d2086e69be47fac7a3e6f8c35f7111bef72c40a39aad76205b7efe62ec/analysis/; classtype:trojan-activity; sid:29303; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ent.wikaba.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ent|06|wikaba|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/91b9522c2863908a648ec9b49c88a48af7918e8ae6f48db0e9ed39c9b13412c9/analysis/; classtype:trojan-activity; sid:29298; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain 003mxs.eu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|003mxs|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/94b636c6c1858c584850b25cdcfaf3a6a0f9f68d81113a0de28aa78d38cf4c3e/analysis/; classtype:trojan-activity; sid:29290; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kara.no-ip.info - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|kara|05|no-ip|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e3cbce74e7fa73b931283b0187f237d0acb4ea3e1f5ce2be4af83493a6bef460/analysis/; classtype:trojan-activity; sid:29263; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bog5151.zapto.org - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bog5151|05|zapto|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fc274838271cc9e28d8c3c9c925f38c07da14c13f3df56f41450f514904ae876/analysis/; classtype:trojan-activity; sid:29262; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - compare-free.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|compare-free|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/666017ab5471c44715bb9363bbc9fc043910592e2a0f1f3c12bed3378156a5a6/analysis/; classtype:trojan-activity; sid:29355; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain downcompile.3322.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|downcompile|04|3322|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e069f1c14ece298aa0cb7c9509e019c747f1d255f34040e5f58eea93b08cf310/analysis/; classtype:trojan-activity; sid:29350; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain 14.7k.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|14|02|7k|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ef611fe55f6ef6cd26a65f639de270351044b60157a5715a605ef8c1a43a89c9/analysis/; classtype:trojan-activity; sid:29343; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain 55l1.3322.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|55l1|04|3322|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ef611fe55f6ef6cd26a65f639de270351044b60157a5715a605ef8c1a43a89c9/analysis/; classtype:trojan-activity; sid:29342; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loveisland.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|loveisland|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29373; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain plano.altervista.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|plano|0A|altervista|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/14051e376e7ae77b1a771e9643148d2cc79d2067670de14ac0e2003c75fd7baf/analysis/; classtype:trojan-activity; sid:29432; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.kreamnnd.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|kreamnnd|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/236e3b7bfc74dbe394fdd854a829000a73ee2ec763ab2825a5e7f168eb58f8e0/analysis/; classtype:trojan-activity; sid:29429; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain korivind.se - Linux.Backdoor.Tsunami"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|korivind|02|se|00|"; fast_pattern:only; classtype:trojan-activity; sid:29492; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain funny.evils.in - Linux.Backdoor.Shellbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|funny|05|evils|02|in|00|"; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; reference:url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46aa7c305a6408d952018b9d1f5f5c6fdb/analysis/1390763695/; classtype:trojan-activity; sid:29568; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain antiq.scifi.ro - Linux.Backdoor.Shellbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|antiq|05|scifi|02|ro|00|"; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; reference:url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46aa7c305a6408d952018b9d1f5f5c6fdb/analysis/1390763695/; classtype:trojan-activity; sid:29567; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain suportando.sytes.net - Win.Trojan.Banker.AALV"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|suportando|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/398f36f011199c4452fcc1543c6191b9a58937427f8b7af7e7ad221cba634ea6/analysis/; classtype:trojan-activity; sid:29564; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain hingston2.eu - Win.Trojan.Sarvdap"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|hingston2|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5334dfa5255a1b6447faab0dad6571af205d5fd5be8af07f17c6d7343639c1c9/analysis/; classtype:trojan-activity; sid:29739; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain srf.im - Win.Trojan.Truado"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|srf|02|im|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/87ab59e92178018832b1a66df5b42c8cd962e805a844e59c6a14c028a093efd1/analysis/; classtype:trojan-activity; sid:29653; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwnav.selfip.net - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29787; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wqq.dyndns.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29786; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tunga.homedns.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29785; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain takami.podzone.net - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29784; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain swupdt.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29783; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sv.serveftp.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29782; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain services.serveftp.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29781; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ricush.ath.cx - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29780; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain prosoccer1.dyndns.info - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer1|06|dyndns|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29778; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pl400.dyndns.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29777; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pininfarina.dynalias.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pininfarina|08|dynalias|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29776; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oco-231-ms.xns01.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|oco-231-ms|05|xns01|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29775; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nthost.shacknet.nu - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29774; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nav1002.ath.cx - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29773; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msupdt.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29772; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mango66.dyndns.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29771; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain helpcenter1it6238.cz.cc - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|helpcenter1it6238|02|cz|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29768; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gx5639.dyndns.tv - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29767; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fast8.homeftp.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29766; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dfup.selfip.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29765; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctronlinenews.dyndns.tv - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ctronlinenews|06|dyndns|02|tv|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29764; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cherry1962.dyndns.org - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29763; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain carrus.gotdns.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29762; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain appleupdt.com - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29761; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wxyz.mesjunio.com - Win.Trojan.Lurk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wxyz|08|mesjunio|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/607f90b36f9a50d01ca31a9c1e5f08063bb9e8d3cf04a92220972c389024f50b/analysis/; classtype:trojan-activity; sid:29818; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sidisalim.myvnc.com - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sidisalim|05|myvnc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b560a6719a23095cbaeabcff55e8a9dd8fde1fdf4c428b6261731072eb5256d2/analysis/; classtype:trojan-activity; sid:29833; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hattouma12.no-ip.biz - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hattouma12|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/960aee6e11a44bf18a5f224019bd40e35112a2f312c220c9aaf0b30c9a5ba084/analysis/; classtype:trojan-activity; sid:29832; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain up.ok789111.com - Win.Trojan.Comowba"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|up|08|ok789111|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/B3F0C670600DFF5C889943948B5D1DBC5F07105D08086EE0F33161132FFEB2F7/analysis/; classtype:trojan-activity; sid:29900; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain gsndomain.ddns.us - Win.Trojan.Pyteconte"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gsndomain|04|ddns|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/B18C100ED8D45A2B4D90EBA0C6DCFCCA644EAD4D80058A344F7FC757B880FEA1/analysis/; classtype:trojan-activity; sid:29892; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain intertechsupport.net - Win.Trojan.Hanove"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|intertechsupport|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/7214be3b955cdd6ce1a8bb12c6f0a257531e440dd9687b9500a7b039464fff75/analysis/; classtype:trojan-activity; sid:29872; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.rekurigo.com - Win.Trojan.Napolar"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|rekurigo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29868; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain luotuozhizhu.blog.163.com - Win.Trojan.ZhiZhu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|luotuozhizhu|04|blog|03|163|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ff96d09e3fe618a296dc5b4425224831dbb49877be054276da5baefcc52e0f53/analysis/; classtype:trojan-activity; sid:29919; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain picpvicp.3322.org - Win.Trojan.Zmcwinsvc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|picpvicp|04|3322|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/bfe4e0db9d719bcda09242be9a2c86200413b1be497182a9e14b5524ad6b48fd/analysis/; classtype:trojan-activity; sid:29913; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hmpcorcv.vicp.net - Win.Trojan.Zmcwinsvc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|hmpcorcv|04|vicp|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/bfe4e0db9d719bcda09242be9a2c86200413b1be497182a9e14b5524ad6b48fd/analysis/; classtype:trojan-activity; sid:29912; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 45g5bh.tradingcenter.biz - Win.Trojan.Madnedos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|45g5bh|0D|tradingcenter|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/f404fc0f7ca32b2927066b8002a2e847c9f21c9d5b0d01c484e9e20600c8e88d/analysis/; classtype:trojan-activity; sid:29906; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain godson355.vicp.cc - Win.Trojan.Meac"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|godson355|04|vicp|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/73925ed709ff4891315a7ac7910666e3d3d46d34b4719f6102b45e3eea5a35bd/analysis/; classtype:trojan-activity; sid:29986; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yourdomainnames.myddns.com - Win.Svekifc.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|yourdomainnames|06|myddns|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/d696c02f6bcccbb6ee8fe661680c33d423064beb02be90a1c6c3367d3961164c/analysis/; classtype:trojan-activity; sid:29974; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tripadvisor.dyndns.info - Win.Trojan.Horsum"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|tripadvisor|06|dyndns|04|info|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29997; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain foursquare.dyndns.tv - Win.Trojan.Horsum"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|foursquare|06|dyndns|02|tv|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29996; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yelp.webhop.org - Win.Trojan.Horsum"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|yelp|06|webhop|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29995; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain neuro.dyndns-at-home.com - Win.Trojan.Horsum"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|neuro|0E|dyndns-at-home|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29994; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smsgrabber.url.ph - Android iBanking/Spy.49"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|smsgrabber|03|url|02|ph|00|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30069; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adobeincorp.com - Win.Trojan.Coresh"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|adobeincorp|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:30059; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain godheaven.3322.org - Win.Trojan.Peronspy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|godheaven|04|3322|03|org|00|"; fast_pattern:only; reference:url,total.com/en/file/4f594638a45507a2f5b29e165e2bbd5ea53e80fbec29d9d8cfb1b22bff3bb83a/analysis/; classtype:trojan-activity; sid:30056; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain krimpsquail.zapto.org - Win.Trojan.Darkkomet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|krimpsquail|05|zapto|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/file/DA4C0907B8FCABDD9E821EDE905A6F09D32B2DBE6A58D90C4FE31164993E5796/analysis/; classtype:trojan-activity; sid:30039; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain v00d00.org - Win.Trojan.Otlard"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|v00d00|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/file/fd35f5a4b82de4c79eb224bc974f3bf806c76585c5927c4883567a863df0d1b9/analysis/; classtype:trojan-activity; sid:30089; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain wintersport.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wintersport|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30190; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain tiger.got-game.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tiger|08|got-game|03|org|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30187; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain sweeden-history.zapto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|sweeden-history|05|zapto|03|org|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30186; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain supernews.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|supernews|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30185; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain stockholm-blog.hopto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|stockholm-blog|05|hopto|03|org|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30184; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain sportmusic.servemp3.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sportmusic|08|servemp3|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30183; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain scandinavia-facts.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|scandinavia-facts|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30182; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain pockerroom.servebeer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pockerroom|09|servebeer|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30180; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain olympik-blog.4dq.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|olympik-blog|03|4dq|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30179; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain nhl-blog.servegame.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nhl-blog|09|servegame|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30178; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain health-everyday.faqserv.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|health-everyday|07|faqserv|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30177; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain freeutils.3utilities.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|freeutils|0A|3utilities|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30176; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain franceonline.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|franceonline|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30175; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain fifa-rules.25u.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fifa-rules|03|25u|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30173; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain eunews-online.zapto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|eunews-online|05|zapto|03|org|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30172; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain cars-online.zapto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|cars-online|05|zapto|03|org|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30171; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain arctic-zone.bbsindex.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|arctic-zone|08|bbsindex|03|com|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30170; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain skyslisten.com - Win.Backdoor.Sloth"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|skyslisten|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/6cf0cb336265ffad60f7a7eb7246ca4ebec868e97c1b9fb4ad7f8e52e79bc80a/analysis/; classtype:trojan-activity; sid:30275; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tobiasteka.hu - Win.Trojan.Drawnetz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tobiasteka|02|hu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/3433cd851d57a7e24942a17549d8318d66337a6ec21e6c3d83e3e3c5caa5f818/analysis/; classtype:trojan-activity; sid:30322; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain printlux.by - Win.Trojan.Drawnetz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|printlux|02|by|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/e113b904f4540a5a27d638f812fe4a53ce7242d6ac1eabaefb241d6a0a7b876b/analysis/; classtype:trojan-activity; sid:30321; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcsup.cc - Win.Trojan.Noctabor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mcsup|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/7ad3fe9b5849ecbe8dd03f74b417849ea40914bd9d2e14a6fe7bec1587a9f0dc/analysis/; classtype:trojan-activity; sid:30303; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain titan2014.sytes.net - Win.Trojan.Zbot/Bublik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|titan2014|05|sytes|03|net|00|"; fast_pattern:only; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30481; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uogwoigiuweyccsw.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|uogwoigiuweyccsw|03|org|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30546; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eimqqakugeccgwak.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|eimqqakugeccgwak|03|org|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30544; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain universal2010.no-ip.org - Win.Worm.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|universal2010|05|no-ip|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2dc9930a0d324838f847f940ea7fa1da8808f910a39c2e701020820f7e33974a/analysis/; classtype:trojan-activity; sid:30772; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain androld666.com - Andr.Trojan.Oldboot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|androld666|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097/analysis/; classtype:trojan-activity; sid:30813; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wisenwizard.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wisenwizard|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30842; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain websparkle.biz - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|websparkle|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30841; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain towertilt.com - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|towertilt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30840; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serialtrunc.com - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|serialtrunc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30839; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain secretsauce.biz - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|secretsauce|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30838; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saltarsmart.biz - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|saltarsmart|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30837; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qualitink.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|qualitink|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30836; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain plurpush.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|plurpush|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30835; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain outobox.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|outobox|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30834; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain megabrowse.biz - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|megabrowse|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30833; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain luckyleap.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|luckyleap|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30832; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lemurleap.info - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lemurleap|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30831; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kozaka.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kozaka|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30830; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jotzey.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jotzey|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30829; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain grabmyrez.co - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|grabmyrez|02|co|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30828; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain diamondata.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|diamondata|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30827; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain browsesmart.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|browsesmart|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30826; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain browsemark.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|browsemark|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30825; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain betterbrowse.net - Win.Trojan.Mudrop"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|betterbrowse|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1922d4c732c951d9d934f1cff4f498ffab9b7f2088532aecffbf45c01ce9fb7b/analysis/; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30824; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bedircati.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|bedircati|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:30891; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aim-cs.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|aim-cs|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/aim-cs.ru/information/; classtype:trojan-activity; sid:30899; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain secure-login.homeftp.net - Win.Worm.Phelshap"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|secure-login|07|homeftp|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/58c046f8c9cc662bcd5ba79724a246c08f0c55cb49d3842295d4c35533b987ca/analysis/; classtype:trojan-activity; sid:30916; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain ns1.dnsfor0.com - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|07|dnsfor0|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/58cc1e70465e5f608fd5de17dff59af8354e0356b75ebc8f4795eacaa07ef8d3/analysis/; classtype:trojan-activity; sid:30952; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain knightmemory.com - Win.Trojan.Nethief"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|knightmemory|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/E806B8A995B9C84FFF49CCC28EDA497DC9039436C700C54F2C811D2C000E80A6/analysis/; classtype:trojan-activity; sid:31003; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain plugin.92taojin.com - Win.Trojan.Karnos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|plugin|08|92taojin|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c6b1581aa0d8e1b95545d676f68aa32cacd55750e2562ddd66b979d7bc07ee47/analysis/; classtype:trojan-activity; sid:30980; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.uslugi-ryazan.ru - Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|uslugi-ryazan|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31035; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.casting.diamondhostess.hu- Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|casting|0E|diamondhostess|02|hu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31034; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain exactlyfind.com - Win.Trojan.Alurewo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|exactlyfind|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/exactlyfind.com/information/; classtype:trojan-activity; sid:31078; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain odvez.to - Win.Trojan.Tobinload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|odvez|02|to|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/odvez.to/information/; classtype:trojan-activity; sid:31065; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cornelia1.funpic.de - Win.Trojan.Expone"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cornelia1|06|funpic|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cornelia1.funpic.de/information/; classtype:trojan-activity; sid:31061; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain claudia.tipido.net - Win.Trojan.Expone"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|claudia|06|tipido|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/claudia.tipido.net/information/; classtype:trojan-activity; sid:31060; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain site1379390026.hospedagemdesites.ws - Win.Trojan.Banload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|site1379390026|11|hospedagemdesites|02|ws|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/site1379390026.hospedagemdesites.ws/information/; classtype:trojan-activity; sid:31054; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trinity-electric-inc.com - Win.Trojan.Sloft"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|trinity-electric-inc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/trinity-electric-inc.com/information/; classtype:trojan-activity; sid:31141; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nyescortsasianoutcall.com - Win.Trojan.Sloft"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|15|nyescortsasianoutcall|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/nyescortsasianoutcall.com/information/; classtype:trojan-activity; sid:31140; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fourchette-des-arenes.com - Win.Trojan.Sloft"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|15|fourchette-des-arenes|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fourchette-des-arenes.com/information/; classtype:trojan-activity; sid:31139; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dudicalworld.com - Win.Trojan.Sloft"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|dudicalworld|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dudicalworld.com/information/; classtype:trojan-activity; sid:31138; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aisgolf.com - Win.Trojan.Sloft"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|aisgolf|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/aisgolf.com/information/; classtype:trojan-activity; sid:31137; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain obamasu.webs.com - Win.Trojan.Deedevil"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|obamasu|04|webs|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/obamasu.webs.com/information/; classtype:trojan-activity; sid:31134; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain download.ustechsupport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|download|0D|ustechsupport|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/download.ustechsupport.com/information/; classtype:trojan-activity; sid:31117; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackshades.ru - Win.Trojan.Blackshades"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|blackshades|03|ru |00|"; fast_pattern:only; reference:url,virustotal.com/en/file/cf86b1ccf8382f8b73da06686a726bbbf00e15629c51b1431679e5a12bc3e2e3/analysis/; classtype:trojan-activity; sid:31107; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zelvesz.2u.se - Win.Trojan.Tempest"; flow:to_server; byte_test:1,!&,0xF8,2; content:"szelvesz|02|2u|02|se|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/d3aac49f9fd6a3f0c52c4cf9dca2448a324fb94b113c53a8ad8845c8559a8dc6/analysis/; classtype:trojan-activity; sid:31175; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain technopoleci.com - Win.Trojan.Cryptodefence"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|technopoleci|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/technopoleci.com/information/; classtype:trojan-activity; sid:31170; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lvpconveyors.co.uk - Win.Trojan.Cryptodefence"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lvpconveyors|02|co|02|uk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/lvpconveyors.co.uk/information/; classtype:trojan-activity; sid:31169; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain i1.megagetnews.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|i1|0B|megagetnews|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/i1.megagetnews.net/information/; classtype:trojan-activity; sid:31164; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain c1.downlloaddatamy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|c1|0F|downlloaddatamy|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/c1.downlloaddatamy.info/information/; classtype:trojan-activity; sid:31163; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smart.aggipulla.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|smart|09|aggipulla|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31156; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hotel.aggipulla.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hotel|09|aggipulla|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31154; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain group.aggipulla.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|group|09|aggipulla|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31153; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain code.aggipulla.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|code|09|aggipulla|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31151; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sarkaricareer.com - Win.Trojan.Scarpnex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|sarkaricareer|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sarkaricareer.com/information/; classtype:trojan-activity; sid:31187; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kentawp.3322.org - Win.Trojan.Guise"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|kentawp|04|3322|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/kentawp.3322.org/information/; classtype:trojan-activity; sid:31186; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arearugshopper.com - Win.Downloader.Upatre"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|arearugshopper|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/arearugshopper.com/information/; classtype:trojan-activity; sid:31239; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ayool.no-ip.org - Win.Trojan.Nuckam"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ayool|05|no-ip|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ayool.no-ip.org/information/; classtype:trojan-activity; sid:31233; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blog.wordpress-catalog.com - Win.Trojan.Soraya"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|blog|11|wordpress-catalog|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/blog.wordpress-catalog.com/information/; classtype:trojan-activity; sid:31227; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Soraya"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|143biz|02|cc|05|md-14|0A|webhostbox|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/143biz.cc.md-14.webhostbox.net/information/; classtype:trojan-activity; sid:31226; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|rc1|09|arkinixik|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/rc1.arkinixik.net/information/; classtype:trojan-activity; sid:31257; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|pc-service-fm|02|de|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/pc-service-fm.de/information/; classtype:trojan-activity; sid:31253; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|toons|0E|freesexycomics|03|com|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/toons.freesexycomics.com/information/; classtype:trojan-activity; sid:31252; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|swissitaly|03|com|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/ip-address/80.242.147.107/information/; classtype:trojan-activity; sid:31251; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|simpsons|0E|freesexycomics|03|com|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/simpsons.freesexycomics.com/information/; classtype:trojan-activity; sid:31250; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|pekanin|07|freevar|03|com|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/pekanin.freevar.com/information/; classtype:trojan-activity; sid:31249; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|mahsms|02|ir|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/mahsms.ir/information/; classtype:trojan-activity; sid:31248; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|artem|06|sataev|03|com|00|"; fast_pattern:only; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/domain/artem.sataev.com/information/; classtype:trojan-activity; sid:31247; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dc186.gulfup.com - Win.Downloader.Bladabindi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dc186|06|gulfup|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/cff1ca60680289b65c040322285a5704d44cde672cfed3fe15d216a3d2b93fa1/analysis/; classtype:trojan-activity; sid:31287; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain honkytonk69.tk.hostinghood.com - Win.Trojan.Vectecoin"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|honkytonk69|02|tk|0B|hostinghood|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/8cc48dd39dccd0944516c086be2a368a38f7cb3d56e2a05aa0bf750fb52d63b4/analysis/; classtype:trojan-activity; sid:31269; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uab.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|uab|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/uab.cc/information/; classtype:trojan-activity; sid:31268; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain irm.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|irm|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/irm.cc/information/; classtype:trojan-activity; sid:31267; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gdm.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|gdm|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gdm.cc/information/; classtype:trojan-activity; sid:31266; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain elg.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|elg|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/elg.cc/information/; classtype:trojan-activity; sid:31265; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dza.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dza|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dza.cc/information/; classtype:trojan-activity; sid:31264; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ac-shippingllc.com - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|ac-shippingllc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ac-shippingllc.com/information/; classtype:trojan-activity; sid:31263; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain plus.zzinfor.cn - Win.Trojan.Rofin"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|plus|07|zzinfor|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/plus.zzinfor.cn/information/; classtype:trojan-activity; sid:31327; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a1.p2ptool.com - Win.Trojan.Rofin"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|a1|07|p2ptool|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/a1.p2ptool.com/information/; classtype:trojan-activity; sid:31326; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vividl.comze.com - Win.Trojan.Zediv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|vividl|05|comze|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/70f11ac22ac6d01dd211868b5299f2535213b8e2f01f6a7332d19f1749c5562f/analysis/; classtype:trojan-activity; sid:31318; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lehnjb.epac.to - Win.Trojan.Httneilc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|lehnjb|04|epac|02|to|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/a19db707a9ec736b6b1181ce436726c925750a4b18d6c1b6e17fe16f6cee5547/analysis/; classtype:trojan-activity; sid:31358; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gjjb.flnet.org - Win.Trojan.Httneilc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gjjb|05|flnet|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/6c42fbb5033ec95b45f79d3b61a2ad73109274be74b001bf4d1cc7a011fda0ad/analysis/; classtype:trojan-activity; sid:31357; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain indo.msname.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|indo|06|msname|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2f6f2b5b356db1620fecdbf92fbaf7abffec0d8d79893c809bdd31a0169ecbc8/analysis/; classtype:trojan-activity; sid:31423; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|likeyoudominicana|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31445; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|dominicanajoker|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31444; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nanoseklo|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31472; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|disk57|03|com|00|"; fast_pattern:only; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31464; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tc-zo.ch - Andr.Trojan.Emmental"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tc-zo|02|ch|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0dc7d89c49d70be397c5b66689aabd58d480b73e0071439f8ab2bdf591bc6672/analysis/; classtype:trojan-activity; sid:31518; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain security-apps.net - Andr.Trojan.Emmental"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|security-apps|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0dc7d89c49d70be397c5b66689aabd58d480b73e0071439f8ab2bdf591bc6672/analysis/; classtype:trojan-activity; sid:31517; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oguhtell.ch - Andr.Trojan.Emmental"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|oguhtell|02|ch|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0dc7d89c49d70be397c5b66689aabd58d480b73e0071439f8ab2bdf591bc6672/analysis/; classtype:trojan-activity; sid:31515; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain .bayandovmeci.com - Win.Trojan.Glupteba"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|bayandovmeci|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31601; rev:2;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DELETED BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba"; flow:to_client; content:"|07|spheral|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31600; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hslh|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5382192453e48d46e20096b14458b17368d401ccbf365020e6094cd5ed20ac51/analysis/; classtype:trojan-activity; sid:31639; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tioracudi1977.co.vu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|tioracudi1977|02|co|02|vu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/tioracudi1977.co.vu/information/; classtype:trojan-activity; sid:31663; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sputnikmailru.cdnmail.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|sputnikmailru|07|cdnmail|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sputnikmailru.cdnmail.ru/information/; classtype:trojan-activity; sid:31662; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quidisnagend1983.co.vu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|quidisnagend1983|02|co|02|vu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/quidisnagend1983.co.vu/information/; classtype:trojan-activity; sid:31661; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ltc.give-me-coins.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ltc|0D|give-me-coins|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ltc.give-me-coins.com/information/; classtype:trojan-activity; sid:31660; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leicaresbe1976.co.vu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|leicaresbe1976|02|co|02|vu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/leicaresbe1976.co.vu/information/; classtype:trojan-activity; sid:31659; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain brasicerer1976.co.vu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|brasicerer1976|02|co|02|vu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/brasicerer1976.co.vu/information/; classtype:trojan-activity; sid:31654; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain amigobin.cdnmail.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|amigobin|07|cdnmail|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/amigobin.cdnmail.ru/information/; classtype:trojan-activity; sid:31653; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known PUA domain mytransitguide.com - MyTransitGuide Toolbar"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|mytransitguide|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/74.113.233.180/information/; classtype:misc-activity; sid:31705; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain managejave.myftp.org - Win.Trojan.Kronos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|managejave|05|myftp|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/9806d1b664c73712bc029e880543dfa013fdd128dd33682c2cfe5ad24de075b9/analysis/; classtype:trojan-activity; sid:31690; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain albuscapital.info - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|albuscapital|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/albuscapital.info/information/; classtype:trojan-activity; sid:31721; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain albus-capital.com - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|albus-capital|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/103.14.215.10/information/; classtype:trojan-activity; sid:31720; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain razihearing.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|razihearing|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:31737; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|microsoftca|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/B908FA279D95D0CD15BFD762DB4BEF95BA63A32F4ACED9BA6AA0C0D1A433AB5C/analysis/; classtype:trojan-activity; sid:31754; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain static.jg7.org - Win.Trojan.Dizk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|static|03|jg7|03|org|00|"; fast_pattern:only; reference:url,blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html; reference:url,www.infosecisland.com/blogview/23567-Vietnamese-Malware-Gets-Very-Personal.html; reference:url,www.virustotal.com/en/file/cb4c23e3c9b8d1555b4d072b39153f60f07b17bc6f076539f9ea7162b641d211/analysis/; classtype:trojan-activity; sid:31804; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain imaps.qki6.com - Win.Trojan.Dizk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|imaps|04|qki6|03|com|00|"; fast_pattern:only; reference:url,blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html; reference:url,www.infosecisland.com/blogview/23567-Vietnamese-Malware-Gets-Very-Personal.html; reference:url,www.virustotal.com/en/file/cb4c23e3c9b8d1555b4d072b39153f60f07b17bc6f076539f9ea7162b641d211/analysis/; classtype:trojan-activity; sid:31803; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gefesosexwithjimmy.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|gefesosexwithjimmy|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:31781; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|eduarditopallares|04|mooo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0a7e5ba1ba4c1ae22b7d6d30026ffb287911be4bdc8042363d29c93c3c71b3e7/analysis/; classtype:trojan-activity; sid:31829; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|yuzhanqiu1990|04|3322|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/yuzhanqiu1990.3322.org/information/; classtype:trojan-activity; sid:31816; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|ltp666|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ltp666.com/information/; classtype:trojan-activity; sid:31815; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain video.csmcpr.com - Win.Trojan.Threebyte"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|video|06|csmcpr|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/video.csmcpr.com/information/; classtype:trojan-activity; sid:31884; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain telechargementmobile.besaba.com - Win.Dropper.Agent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|telechargementmobile|06|besaba|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:31872; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|southblood|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31921; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|saltsecond|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31919; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|recoalmeida|0D|gratisphphost|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/recoalmeida.gratisphphost.info/information/; classtype:trojan-activity; sid:31908; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain useushippinginc.com - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|useushippinginc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/useushippinginc.com/information/; classtype:trojan-activity; sid:31963; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sted.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sted|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sted.cc/information/; classtype:trojan-activity; sid:31962; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain modern-shipping.biz - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|modern-shipping|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/modern-shipping.biz/information/; classtype:trojan-activity; sid:31961; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain express-shippingus.net - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|express-shippingus|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/express-shippingus.net/information/; classtype:trojan-activity; sid:31960; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain edal.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|edal|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/edal.cc/information/; classtype:trojan-activity; sid:31959; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ambi.cc - Win.Trojan.Caphaw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ambi|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ambi.cc/information/; classtype:trojan-activity; sid:31958; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pstcmedia.com - Win.Trojan.Rukypee"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|pstcmedia|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/pstcmedia.com/information/; classtype:trojan-activity; sid:31952; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flushupate.com - Win.Trojan.Rukypee"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|flushupate|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/flushupate.com/information/; classtype:trojan-activity; sid:31951; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ahmedfaiez.info - Win.Trojan.Rukypee"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ahmedfaiez|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ahmedfaiez.info/information/; classtype:trojan-activity; sid:31950; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsof-update.com - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|microsof-update|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31938; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsofi.org - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|microsofi|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31937; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain testservice24.net - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|testservice24|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31936; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain updatesoftware24.com - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|updatesoftware24|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31935; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain updatepc.org - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|updatepc|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31934; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain scanmalware.info - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|scanmalware|04|info|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31933; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain checkmalware.info - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|checkmalware|04|info|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31932; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adawareblock.com - Win.Trojan.Xagent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|adawareblock|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:31931; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain internetexplorers.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|internetexplorers|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:32019; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.xsser.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|xsser|03|com|00|"; fast_pattern:only; reference:url,www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:32051; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nova|04|ns01|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/57aa67972415147eb3f236aec8d928dcfb146d7bb5790e696a08d224483f6f06/analysis/; classtype:trojan-activity; sid:32079; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nova|04|ddns|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/7c3c007794603b40dba6791a98f7fb5710622abdc58ff382d5df6e5dd9141530/analysis/; classtype:trojan-activity; sid:32078; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain java.ns1.name - Win.Trojan.Plugx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|java|03|ns1|04|name|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32177; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain av4.microsoftsp3.com - Win.Trojan.Plugx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|av4|0C|microsoftsp3|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32176; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain worldnews247.net - Win.Trojan.Kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|worldnews247|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/9d4f4224eb1fda4a90c775e59730e0e404d5a0f82d4e48f240e1337dbcb0bb05/analysis/; classtype:trojan-activity; sid:32219; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcclient.freetzi.com - WIN.Trojan.Clemint"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mcclient|07|freetzi|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c331ddf1104c7a7f556c97d0aeb87ab1ab174a3e13d87a7b866651e8a226e57f/analysis/; classtype:trojan-activity; sid:32242; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcclient.0catch.com - WIN.Trojan.Clemint"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mcclient|06|0catch|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c331ddf1104c7a7f556c97d0aeb87ab1ab174a3e13d87a7b866651e8a226e57f/analysis/; classtype:trojan-activity; sid:32241; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain good.myftp.org - Win.Trojan.Farfi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|good|05|myftp|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/184c083e839451c2ab0de7a89aa801dc0458e2bd1fe79e60f35c26d92a0dbf6a/analysis/; classtype:trojan-activity; sid:32309; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cryptdice.com - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cryptdice|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cryptdice.com/information/; classtype:trojan-activity; sid:32298; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cemotrans.com - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cemotrans|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cemotrans.com/information/; classtype:trojan-activity; sid:32297; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain test.hoseen454r.com - Win.Trojan.Sapertilz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|test|0A|hoseen454r|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/91e3d08c7e86f38725842943a843d85ec2a50a785b1d1364e914cb9b8b222ffd/analysis/; classtype:trojan-activity; sid:32286; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain auty.organiccrap.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|auty|0B|organiccrap|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32393; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adda.lengendport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|adda|0B|lengendport|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32392; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tsl.gettrials.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|tsl|09|gettrials|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32391; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tiptronic.soxx.us - Scarsi Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|tiptronic|04|soxx|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff/analysis/; classtype:trojan-activity; sid:32385; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain octoberpics.ru - Win.Trojan.TorrentLocker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|octoberpics|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23/analysis/; classtype:trojan-activity; sid:32463; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain total-updates.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|total-updates|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/d5949af0d291eb18c22a77f058bef93f224b5d1e31214adb41bdf025c5de91a3/analysis/; classtype:trojan-activity; sid:32454; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msframeworkx86.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|msframeworkx86|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/dc4c5fccde63fb62768feae2daaa70d209c4d830299c7dd124170e3eea79916b/analysis/; classtype:trojan-activity; sid:32453; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msframeworkx86.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|msframeworkx86|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/308ea6b5af865ccf1bf1961df2cabcc867fa5d6e8c46ffb998c2792d43edac3c/analysis/; classtype:trojan-activity; sid:32452; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain total-update.com - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|total-update|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/aa69ae9c58f0d8e5b9d57cbabbe41b2c8284fefa44f54bd2bbb3beaaf13a4f4b/analysis/; classtype:trojan-activity; sid:32449; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cyberwise.biz - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cyberwise|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/3a1e9df788bd159e63a0412388deb5c3c05c8959cfd25b60f14bf9bc8967b88d/analysis/; classtype:trojan-activity; sid:32447; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 143biz.cc.md-14.webhostbox.net - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|143biz|02|cc|05|md-14|0A|webhostbox|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/b7aac87f8be38de5a35efac918c577380f229d461c5d7567bd5842b71d252523/analysis/; classtype:trojan-activity; sid:32446; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hydroac.info - Win.Trojan.Hancitor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|hydroac|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/hydroac.info/information/; classtype:trojan-activity; sid:32522; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sunzestate|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sunzestate.com/information/; classtype:trojan-activity; sid:32549; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pierrejb.agora.eu.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|pierrejb|05|agora|02|eu|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:32577; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cechire.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|cechire|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f7f334515f0b6ee9fe92ccf0774748d933a82e297d5bf82c9e0d05bd8762d84f/analysis/; classtype:trojan-activity; sid:32612; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qov.hu.com - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32661; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain q0v.pl - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32660; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain natoexhibitionff14.com - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32658; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.q0v.pl - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32655; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain danidata.dk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|danidata|02|dk|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/a4583318c3328204f56810ca3b22f5e4c0a74b173b1a12c5f9e35c70982a1138/analysis/; classtype:trojan-activity; sid:32676; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fabernext.roma1.infn.it - Win.Backdoor.Typideg variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|fabernext|05|romal|04|infn|02|it|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3cd6ad651257f66e9a68d9c89f14666941886e4251983fe7f9bff898b435827e/analysis/; classtype:trojan-activity; sid:32733; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ilscnu.org.FindHere.org - Win.Backdoor.Uclinu variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|ilscnu|03|org|08|FindHere|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/765cefb36c47598a711e00f1cb9a64cde9014b0984ac5ae8ff7b462e757d8eb2/analysis/; classtype:trojan-activity; sid:32726; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.web.lookin.at - Win.Backdoor.Eskaetee variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|03|web|06|lookin|02|at|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e1074398baf00c37067b9717e90758bb0708897a447f9e887cc7a0ecd9acdb85/analysis/; classtype:trojan-activity; sid:32779; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|niudoudou|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/944df4f8307f53132bef58d5f74ff7473512b8c03461d60317134ab024213e18/analysis/; classtype:trojan-activity; sid:32984; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|it885|03|com|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/944df4f8307f53132bef58d5f74ff7473512b8c03461d60317134ab024213e18/analysis/; classtype:trojan-activity; sid:32983; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|fxxx114|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/944df4f8307f53132bef58d5f74ff7473512b8c03461d60317134ab024213e18/analysis/; classtype:trojan-activity; sid:32982; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|aquametron|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/944df4f8307f53132bef58d5f74ff7473512b8c03461d60317134ab024213e18/analysis/; classtype:trojan-activity; sid:32981; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nettwerk|03|x10|02|mx|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/nettwerk.x10.mx/information/; classtype:trojan-activity; sid:32972; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news-bbc.podzone.org - Linux.Trojan.Turla"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|news-bbc|07|podzone|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4/analysis/; classtype:trojan-activity; sid:33154; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain okurimono.ina-ka.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|okurimono|06|ina-ka|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:33150; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yougotissuez.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|yougotissuez|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33144; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thepicturehut.net - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|thepicturehut|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33143; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain socksa.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|socksa|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33142; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hnox.org - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hnox|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33140; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thesexydude.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|thesexydude|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33138; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thejacksonfive.us - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|thejacksonfive|02|us|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33137; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thejacksonfive.mobi - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|thejacksonfive|04|mobi|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33136; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thejacksonfive.biz - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|thejacksonfive|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33135; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tamiflux.org - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|tamiflux|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33134; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tamiflux.net - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|tamiflux|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33133; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sexme.in - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sexme|02|in|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33132; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gusanodeseda.net - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gusanodeseda|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33127; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gusanodeseda.mobi - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gusanodeseda|04|mobi|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33126; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain extraperlo.biz - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|extraperlo|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33125; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain defintelsucks.net - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|defintelsucks|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33123; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain defintelsucks.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|defintelsucks|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33122; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain butterfly.BigMoney.biz - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|butterfly|08|BigMoney|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33121; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain binaryfeed.in - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|binaryfeed|02|in|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33119; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stat.wamme.cn - Win.Trojan.OnlineGames"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|stat|05|wamme|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/stat.wamme.cn/information/; classtype:trojan-activity; sid:33283; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain absurdherd.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|absurdherd|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33281; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gfdimage.esy.es - Win.Trojan.Gefetroe"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|gfdimage|03|esy|02|es|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gfdimage.esy.es/information/; classtype:trojan-activity; sid:33438; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tracking-recipient.net46.net - Win.Cossta"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|tracking-recipient|05|net46|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/cdaa661e2b5913997f4d905e0490bd8d9069a0c9f90a13944d5d3e1d6d1f2089/analysis/; classtype:trojan-activity; sid:33560; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lacdileftre.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|lacdileftre|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33844; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mifastubiv.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mifastubiv|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33843; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain weksrubaz.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|weksrubaz|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33842; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tabidzuwek.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tabidzuwek|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33841; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xablopefgr.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xablopefgr|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33840; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain linturefa.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|linturefa|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33839; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ere5453.com - Win.Trojan.Jadtre"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ere5453|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4060C7DBDA6AB0B743843D3372FCBAF87F920085F7E7E8CA314A19211AC352CC/analysis/; classtype:trojan-activity; sid:33882; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cybercrime|05|rocks|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cybercrime.rocks/information/; classtype:trojan-activity; sid:34043; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|s12|06|site90|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/6083bdfc82aacf53f91b588a8b599f759fadcbd198fe66c095644f55dba44faa/analysis/; classtype:trojan-activity; sid:34040; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lazyshare.net - Win.Trojan.Nanocore"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lazyshare|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/lazyshare.net/information/; classtype:trojan-activity; sid:34218; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mymoney.000a.de - Win.Trojan.Fareit"; byte_test:1,!&,0xF8,2; content:"|07|mymoney|04|000a|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/74e82708e5ac9eea253f3701bc625cef1ffc6385ee96954ddc586e198bc8dd41/analysis/; classtype:trojan-activity; sid:34370; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|mobilitysvc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29659; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|thirdbase|05|bugs3|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29658; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sales|03|eu5|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:29657; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|javaupdate|09|flashserv|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:29656; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ngusto-uro.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ngusto-uro|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:34490; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nonobabe|0B|100webspace|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/nonobabe.100webspace.net/information/; classtype:trojan-activity; sid:34571; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|driveake|0B|webcindario|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/driveake.webcindario.com/information/; classtype:trojan-activity; sid:34570; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a-gwas-01.dyndns.org - Win.Trojan.Windex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|a-gwas-01|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/544b5784de49d3b614f4954b4eae89bc54ff78137f7b32e436e5fdee3f40c7a1/analysis/; classtype:trojan-activity; sid:34713; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a-gwas-01.slyip.net - Win.Trojan.Windex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|a-gwas-01|05|slyip|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/544b5784de49d3b614f4954b4eae89bc54ff78137f7b32e436e5fdee3f40c7a1/analysis/; classtype:trojan-activity; sid:34712; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a.gwas.perl.sh - Win.Trojan.Windex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|a|04|gwas|04|perl|02|sh|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/544b5784de49d3b614f4954b4eae89bc54ff78137f7b32e436e5fdee3f40c7a1/analysis/; classtype:trojan-activity; sid:34711; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stenfirthsta.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|stenfirthsta|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34706; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sivesuhat.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sivesuhat|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34705; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain repherfeted.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|repherfeted|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34701; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rechedtthaten.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|rechedtthaten|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34699; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qwertygontul.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qwertygontul|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34698; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pavesohap.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|pavesohap|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34695; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain juindorey.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|juindorey|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34689; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hepretfortna.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|hepretfortna|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34688; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gutontredsup.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gutontredsup|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34687; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gantropine.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gantropine|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34686; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain forttapaha.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|forttapaha|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34684; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serfilefnom.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|serfilefnom|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34678; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain queryforworld.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|queryforworld|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34677; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wertstumbahn.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|wertstumbahn|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34676; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serppoglandam.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|serppoglandam|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34675; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain restavratormira.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|restavratormira|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34674; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain petronasconn.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|petronasconn|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34673; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vesnarusural.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|vesnarusural|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34672; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain switlawert.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|switlawert|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34671; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mehanistran.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mehanistran|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34670; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain srachechno.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|srachechno|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34668; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lasttrainforest.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|lasttrainforest|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34664; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain howthatficy.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|howthatficy|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34663; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain terethaundv.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|terethaundv|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34662; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ferepritdi.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ferepritdi|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34661; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dingdownmahedt.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|dingdownmahedt|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34660; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apporistale.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|apporistale|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34657; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain seccionpolitica.com.ar - Win.Trojan.Cozybear"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|seccionpolitica|03|com|02|ar|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/seccionpolitica.com.ar/information/; classtype:trojan-activity; sid:34830; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pvt.relance.fr - Win.Trojan.Cozybear"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pvt|07|relance|02|fr|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/pvt.relance.fr/information/; classtype:trojan-activity; sid:34828; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aotc.ru - Win.Trojan.Urausy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|aotc|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1e58f55d35c71f42c56ddd3b50f3ee32a8632dbd6ced812882f20a8228902a39/analysis/; classtype:trojan-activity; sid:34928; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|killer0709|0A|pf-control|02|de|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/953524dda217572280dfc14dff377f4bec0ea78cca599257fa24e90175cb7c19/analysis/; classtype:trojan-activity; sid:35028; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tooti15.no-ip.biz - Win.Trojan.AutoIt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tooti15|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/c35d9d75b674906496826be297611adb3e5bb31e6cd9504902aed6ada8d77b78/analysis/; classtype:trojan-activity; sid:35068; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain houstonsbackyard.com - Win.Trojan.Dridex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|houstonsbackyard|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/houstonsbackyard.com/information/; classtype:trojan-activity; sid:35100; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain houseofsultan.co.uk - Win.Trojan.Dridex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|houseofsultan|02|co|02|uk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/houseofsultan.co.uk/information/; classtype:trojan-activity; sid:35099; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain img.lifesolves.com - Win.Backdoor.Bimteni"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|img|0A|lifesolves|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/ea14b80a529b24635f739f86fe2f2a30ad19934d806d8dbd80b5dbe6e3080a4d/analysis/; classtype:trojan-activity; sid:35370; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain domain.gokickes.com - Win.Backdoor.Bimteni"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|domain|08|gokickes|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/99157a78fdf812441029f89eb5eba3ac65e80b82dac4bed72194af2d0068ef48/analysis/; classtype:trojan-activity; sid:35369; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bbs.gokickes.com - Win.Backdoor.Bimteni"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbs|08|gokickes|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/66c5957fb2fc2850f9f2594168207ff29e23d9692cb46d57b4e6783c4c007be7/analysis/; classtype:trojan-activity; sid:35368; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dpaste.dzfl.pl - Trojan.Win32.Nibagem"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06 64 70 61 73 74 65 04 64 7A 66 6C 02 70 6C 00|"; fast_pattern:only; reference:url,virustotal.com/en/file/f9432e1185b0d67e81e81debc2858ec83389e0b9d5ef61fea7e87f0fef49302b/analysis/; classtype:trojan-activity; sid:35595; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quadjacks|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/quadjacks.com/information/; classtype:trojan-activity; sid:35801; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|itsurvive|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/itsurvive.com/information/; classtype:trojan-activity; sid:35800; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|teenpornotube|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/teenpornotube.org/information/; classtype:trojan-activity; sid:35793; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|shmetterheath|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/shmetterheath.ru/information/; classtype:trojan-activity; sid:35792; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|18|serenitynowbooksandgifts|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/serenitynowbooksandgifts.com/information/; classtype:trojan-activity; sid:35791; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fgainterests|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fgainterests.com/information/; classtype:trojan-activity; sid:35789; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|ezglobalmarketing|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ezglobalmarketing.com/information/; classtype:trojan-activity; sid:35788; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|exonapps|02|nl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/exonapps.nl/information/; classtype:trojan-activity; sid:35839; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|drop-into|03|hol|02|es|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/drop-into.hol.es/information/; classtype:trojan-activity; sid:35838; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|bokerensheng|06|lofter|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/bokerensheng.lofter.com/information/; classtype:trojan-activity; sid:36185; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain init.icloud-analysis.com - XcodeGhost"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|init|0F|icloud-analysis|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/init.icloud-analysis.com/information/; classtype:trojan-activity; sid:36207; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain init.icloud-diagnostics.com - XcodeGhost"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|init|12|icloud-diagnostics|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/init.icloud-diagnostics.com/information/; classtype:trojan-activity; sid:36206; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain init.crash-analytics.com - XcodeGhost"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|init|0F|crash-analytics|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/init.crash-analytics.com/information/; classtype:trojan-activity; sid:36205; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ali5319ali.mooo.com - Win.Downloader.Bladabindi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ali5319ali|04|mooo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ali5319ali.mooo.com/information/; classtype:trojan-activity; sid:36200; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vincenzo-sorelli.com - Win.Trojan.Corebot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|vincenzo-sorelli|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/vincenzo-sorelli.com/information/; classtype:trojan-activity; sid:36274; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arijoputane.com - Win.Trojan.Corebot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|arijoputane|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/arijoputane.com/information/; classtype:trojan-activity; sid:36273; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|exenull1|07|appspot|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/5b1d1d96de5504c2ef035adfea219c944b31ab5526ada20a0899da58e1e98468/analysis/; classtype:trojan-activity; sid:36293; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain update.ciscofreak.com - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0A|ciscofreak|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/update.ciscofreak.com/information/; classtype:trojan-activity; sid:36395; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sip.supportcom.xyz - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sip|0A|supportcom|03|xyz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sip.supportcom.xyz/information/; classtype:trojan-activity; sid:36394; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.buybit.us - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|06|buybit|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/news.buybit.us/information/; classtype:trojan-activity; sid:36392; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain games.buybit.us - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|games|06|buybit|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/games.buybit.us/information/; classtype:trojan-activity; sid:36391; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain facetoo.co.vu - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|facetoo|02|co|02|vu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/facetoo.co.vu/information/; classtype:trojan-activity; sid:36390; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mindfucktoys.com - Necurs"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mindfucktoys|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/mindfucktoys.com/information/; classtype:trojan-activity; sid:36382; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kemoge.net - Kemoge"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kemoge|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/kemoge.net/information/; classtype:trojan-activity; sid:36470; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain coldydesign.com - Win.Trojan.AridViper"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|coldydesign|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/coldydesign.com/information/; classtype:trojan-activity; sid:36466; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yalladesign.net - Win.Trojan.AridViper"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|yalladesign|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/yalladesign.net/information/; classtype:trojan-activity; sid:36465; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oowdesign.com - Win.Trojan.AridViper"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|oowdesign|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/oowdesign.com/information/; classtype:trojan-activity; sid:36464; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|smartcell|0B|webcindario|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/smartcell.webcindario.com/information/; classtype:trojan-activity; sid:36521; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gfxcorp|0A|engenharia|02|ws|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gfxcorp.engenharia.ws/information/; classtype:trojan-activity; sid:36519; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|corpsone|0C|agropecuaria|02|ws|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/corpsone.agropecuaria.ws/information/; classtype:trojan-activity; sid:36518; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|luxurybro|02|co|02|kr|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/luxurybro.co.kr/information/; classtype:trojan-activity; sid:36539; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|fas-go-jp-security|12|servecounterstrike|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fas-go-jp-security.servecounterstrike.com/information/; classtype:trojan-activity; sid:36538; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blogbox.it - Win.Trojan.Stupeval"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|blogbox|02|it|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/blogbox.it/information/; classtype:trojan-activity; sid:36764; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|webdelphi|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/webdelphi.ru/information/; classtype:trojan-activity; sid:36769; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|razercommns|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/razercommns.com/information/; classtype:trojan-activity; sid:36768; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|xa|0B|yessearches|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/xa.yessearches.com/information/; classtype:trojan-activity; sid:36780; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|xa|07|ghokswa|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/xa.ghokswa.com/information/; classtype:trojan-activity; sid:36779; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|zy98|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/zy98.com/information/; classtype:trojan-activity; sid:36776; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|240|02|la|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/240.la/information/; classtype:trojan-activity; sid:36773; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cbbps0.lh1.in - Trojan.Win32.Ruinmail.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|cbbps0|03|lh1|02|in|00|"; fast_pattern:only; reference:url,virustotal.com/en/domain/cbbps0.lh1.in/information/; classtype:trojan-activity; sid:36799; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain desktopicon.net - Win.Trojan.Nodslit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|desktopicon|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/desktopicon.net/information/; classtype:trojan-activity; sid:36806; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain creativecode.com.br - OSX.Trojan.Mabouia"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|creativecode|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/creativecode.com.br/information/; classtype:trojan-activity; sid:36809; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|poems|05|net16|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/poems.net16.net/information/; classtype:trojan-activity; sid:36840; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain mechanicnote.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mechanicnote|03|com|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36910; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain news-google.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|news-google|03|net|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36909; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain rausers.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|rausers|03|com|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36908; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain foryousee.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|foryousee|03|net|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36907; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain cainformations.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|cainformations|03|com|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36905; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain alternate009.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|alternate009|03|com|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36904; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oriontronproject.site11.com - Win.Trojan.Sovfo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|oriontronproject|06|site11|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/oriontronproject.site11.com/information/; classtype:trojan-activity; sid:37456; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain supercold1.ddns.net - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|supercold1|04|ddns|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/supercold1.ddns.net/information/; classtype:trojan-activity; sid:37488; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mathew79.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mathew79|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/mathew79.no-ip.biz/information/; classtype:trojan-activity; sid:37483; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain malouzimbra.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|malouzimbra|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/malouzimbra.no-ip.biz/information/; classtype:trojan-activity; sid:37482; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain faceebook.servehttp.com - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|faceebook|09|servehttp|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/faceebook.servehttp.com/information/; classtype:trojan-activity; sid:37480; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cleintten101.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|cleintten101|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cleintten101.no-ip.biz/information/; classtype:trojan-activity; sid:37477; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain althaman123.ohost.de - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|althaman123|05|ohost|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/althaman123.ohost.de/information/; classtype:trojan-activity; sid:37474; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alohamoneydrop.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|alohamoneydrop|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/alohamoneydrop.no-ip.biz/information/; classtype:trojan-activity; sid:37473; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain akaros79.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|akaros79|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/akaros79.no-ip.biz/information/; classtype:trojan-activity; sid:37472; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.csdimonetize.com - SpywareJarl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0C|csdimonetize|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/www.csdimonetize.com/information/; classtype:trojan-activity; sid:38301; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|dl|0C|wizzuniquify|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dl.wizzuniquify.com/information/; classtype:trojan-activity; sid:38299; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dl.auhazard.com - SpywareJarl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|dl|08|auhazard|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dl.auhazard.com/information/; classtype:trojan-activity; sid:38298; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain agent.wizztrakys.com - SpywareJarl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|agent|0A|wizztrakys|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/agent.wizztrakys.com/information/; classtype:trojan-activity; sid:38297; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain melon25.ru - XBot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|melon25|02|ru|00|"; fast_pattern:only; reference:url,researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/; reference:url,www.virustotal.com/en/domain/melon25.ru/information/; classtype:trojan-activity; sid:38527; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|wallex|02|ho|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/wallex.ho.ua/information/; classtype:trojan-activity; sid:38612; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gils|02|ho|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gils.ho.ua/information/; classtype:trojan-activity; sid:38611; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|tongjj|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/tongjj.info/information/; classtype:trojan-activity; sid:38605; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tongjii|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/tongjii.us/information/; classtype:trojan-activity; sid:38604; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|evengtorsdodint|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/evengtorsdodint.com/information/; classtype:trojan-activity; sid:38725; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adsl.carpediem.fr - Win.Trojan.Adialer"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|adsl|09|carpediem|02|fr|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/adsl.carpediem.fr/information/; reference:url,www.virustotal.com/en/file/EF7D19870822E461D218069EDB16EFDD1298A03F268470F0AD99B514823ADD45/analysis/; classtype:trojan-activity; sid:39051; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webshell.jexboss.net - JSP webshell backdoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|webshell|07|jexboss|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/domain/webshell.jexboss.net/information/; classtype:trojan-activity; sid:39057; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain up-king.com - Win.Trojan.Lorozoad "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|up-king|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/up-king.com/information/; classtype:trojan-activity; sid:39367; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|plusvan|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/plusvan.com/information/; classtype:trojan-activity; sid:39447; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|denoted-chioces|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/1cccc844fcdb255f833a9ef36c2d3c690557b828ed5d0a45d068aeb2af1faac7/analysis/1466174133/; classtype:trojan-activity; sid:39649; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|alwaysonline|02|pw|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/1cccc844fcdb255f833a9ef36c2d3c690557b828ed5d0a45d068aeb2af1faac7/analysis/1466174133/; classtype:trojan-activity; sid:39646; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hi.getgo2.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|hi|06|getgo2|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/hi.getgo2.com/information/; classtype:trojan-activity; sid:39724; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain login.access-mail.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|login|0B|access-mail|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/login.access-mail.com/information/; classtype:trojan-activity; sid:39721; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intranetwabcam.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|intranetwabcam|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/intranetwabcam.com/information/; classtype:trojan-activity; sid:39720; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain globalprint-us.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|globalprint-us|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/globalprint-us.com/information/; classtype:trojan-activity; sid:39719; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.logitech-usa.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0C|logitech-usa|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39718; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ovhelp.mrbasic.com - Win.Backdoor.Contopee"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ovhelp|07|mrbasic|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ovhelp.mrbasic.com/information/; classtype:trojan-activity; sid:39740; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dns01.ninth.biz - Win.Backdoor.Contopee"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dns01|05|ninth|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dns01.ninth.biz/information/; classtype:trojan-activity; sid:39739; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain file.anyoffice.info - Win.Trojan.Lientchtp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|file|09|anyoffice|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/file.anyoffice.info/information/; classtype:trojan-activity; sid:39782; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mines.port0.org - Win.Trojan.NanHaiShu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mines|05|port0|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/mines.port0.org/information/; classtype:trojan-activity; sid:39862; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain presentation.twilightparadox.com - Win.Trojan.NanHaiShu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|presentation|0F|twilightparadox|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/presentation.twilightparadox.com/information/; classtype:trojan-activity; sid:39860; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain humans.mooo.info - Win.Trojan.NanHaiShu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|humans|04|mooo|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/humans.mooo.info/information/; classtype:trojan-activity; sid:39859; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eholidays.mooo.com - Win.Trojan.NanHaiShu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|eholidays|04|mooo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/eholidays.mooo.com/information/; classtype:trojan-activity; sid:39858; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eparfum.ro - Donoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|eparfum|02|ro|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/eparfum.ro/information/; classtype:trojan-activity; sid:39940; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain supketwron.ru - Donoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|supketwron|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/supketwron.ru/information/; classtype:trojan-activity; sid:39939; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain web4solution.net - Win.Trojan.Shakti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|web4solution|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/web4solution.net/information/; classtype:trojan-activity; sid:40026; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain securedesignus.com - Win.Trojan.Shakti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|securedesignus|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/securedesignus.com/information/; classtype:trojan-activity; sid:40025; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.cderlearn.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|cderlearn|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41131; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain private.directinvesting.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|private|0F|directinvesting|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41128; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain one2shoppee.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|one2shoppee|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41127; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mymodule|0B|waterfilter|02|in|02|ua|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41126; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain insta.reduct.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|insta|06|reduct|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41124; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thedragon318.com - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|thedragon318|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/thedragon318.com/information/; classtype:trojan-activity; sid:41172; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain overstockage.com - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|overstockage|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/overstockage.com/information/; classtype:trojan-activity; sid:41170; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|muralegdanskzaspa|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/muralegdanskzaspa.eu/information/; classtype:trojan-activity; sid:41169; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain krusingtheworld.de - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|krusingtheworld|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/krusingtheworld.de/information/; classtype:trojan-activity; sid:41168; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain himalayard.de - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|himalayard|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/himalayard.de/information/; classtype:trojan-activity; sid:41167; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|chrome-up|04|date|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/chrome-up.date/information/; classtype:trojan-activity; sid:41655; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba"; flow:to_server; content:"|09|eye-watch|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/eye-watch.in/information/; classtype:trojan-activity; sid:41779; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Trojan.Ismdoor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|0D|winappupdater|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/update.winappupdater.com/information/; classtype:trojan-activity; sid:42130; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qd.netkill.com.cn - Trojan-Downloader.Win32.Adload.rzx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|qd|07|netkill|03|com|02|cn|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16834; classtype:trojan-activity; sid:16834; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain andy.cd - Backdoor.Win32.Agent.auto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|andy|02|cd|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16856; classtype:trojan-activity; sid:16856; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gite-eguisheim.com - Trojan-Downloader.Win32.Piker.clp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|gite-eguisheim|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16861; classtype:trojan-activity; sid:16861; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain v.yao63.com - Trojan-Downloader.Win32.Agent.dqns"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|v|05|yao63|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16852; classtype:trojan-activity; sid:16852; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain down.p2pplay.com - Trojan-GameThief.Win32.OnLineGames.wgkv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|down|07|p2pplay|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16906; classtype:trojan-activity; sid:16906; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain youword.cn - Trojan.Win32.Scar.bvgu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|youword|02|cn|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16873; classtype:trojan-activity; sid:16873; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain monicaecarlos.com - Trojan-Downloader.Win32.Genome.awxv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|monicaecarlos|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16885; classtype:trojan-activity; sid:16885; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dbtte.com - Trojan-Banker.Win32.Banz.crk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dbtte|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16888; classtype:trojan-activity; sid:16888; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain promojoy.net - Packed.Win32.Krap.gx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|promojoy|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16902; classtype:trojan-activity; sid:16902; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain up1.give2sms.com - Trojan-Downloader.Win32.Genome.est"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|up1|08|give2sms|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16854; classtype:trojan-activity; sid:16854; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tt.vv49.com - Trojan-GameThief.Win32.OnLineGames.bnkb"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tt|04|vv49|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16869; classtype:trojan-activity; sid:16869; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reportes201.com - Trojan-Downloader.Win32.Genome.ashe"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|reportes201|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16900; classtype:trojan-activity; sid:16900; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain urodinam.net - Trojan.Win32.TDSS.azsj"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|urodinam|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16860; classtype:trojan-activity; sid:16860; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain search.sidegreen.com - Backdoor.Win32.Agent.arqi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|search|09|sidegreen|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16870; classtype:trojan-activity; sid:16870; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hostshack.net - Trojan.Win32.Buzus.empl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|hostshack|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16868; classtype:trojan-activity; sid:16868; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gerherber.com - Trojan-Spy.Win32.Zbot.akdw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gerherber|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16859; classtype:trojan-activity; sid:16859; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gpwg.ws - Worm.Win32.AutoRun.bjca"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gpwg|02|ws|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16903; classtype:trojan-activity; sid:16903; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain brutalxvideos.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|brutalxvideos|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17871; classtype:trojan-activity; sid:17871; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vc.iwriteweb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|vc|09|iwriteweb|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17838; classtype:trojan-activity; sid:17838; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain procca.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|procca|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17882; classtype:trojan-activity; sid:17882; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.grannyplanet.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0C|grannyplanet|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17840; classtype:trojan-activity; sid:17840; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuckersucker.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fuckersucker|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17849; classtype:trojan-activity; sid:17849; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain motuh.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|motuh|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17819; classtype:trojan-activity; sid:17819; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sexmoviesland.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|sexmoviesland|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17827; classtype:trojan-activity; sid:17827; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aahydrogen.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|aahydrogen|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17845; classtype:trojan-activity; sid:17845; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.very-young-boys.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0F|very-young-boys|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17875; classtype:trojan-activity; sid:17875; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 91629.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|91629|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17876; classtype:trojan-activity; sid:17876; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rpt2.21civ.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rpt2|05|21civ|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17863; classtype:trojan-activity; sid:17863; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.lamiaexragazza.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0E|lamiaexragazza|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17854; classtype:trojan-activity; sid:17854; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mejac.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mejac|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17860; classtype:trojan-activity; sid:17860; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dickvsclit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dickvsclit|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17830; classtype:trojan-activity; sid:17830; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain acofinder.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|acofinder|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17855; classtype:trojan-activity; sid:17855; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain js.222233.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|js|06|222233|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17839; classtype:trojan-activity; sid:17839; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain autouploaders.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|autouploaders|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17883; classtype:trojan-activity; sid:17883; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mskla.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mskla|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17847; classtype:trojan-activity; sid:17847; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.cnhack.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|cnhack|02|cn|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17857; classtype:trojan-activity; sid:17857; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ayb.host127-0-0-1.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ayb|0D|host127-0-0-1|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17878; classtype:trojan-activity; sid:17878; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.auto328.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|auto328|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18089; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.wwmei.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|wwmei|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18095; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.goodfriends.or.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|goodfriends|02|or|02|kr|00|"; fast_pattern:only; classtype:trojan-activity; sid:18091; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.opusgame.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|opusgame|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18093; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gopheisstoo.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|gopheisstoo|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:18255; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vcxde.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vcxde|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18251; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftuny.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ftuny|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18258; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dns-check.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dns-check|03|biz|00|"; fast_pattern:only; classtype:trojan-activity; sid:18257; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lo4undreyk.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lo4undreyk|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19532; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 7gaur15eb71.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|7gaur15eb71|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19508; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zz87lhfda88.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|zz87lhfda88|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19550; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 1il1il1il.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|1il1il1il|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19501; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 69b69b6b96b.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|69b69b6b96b|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19507; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lysyfyj.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|lysyfyj|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=23f749ef8a86a3098305927ec14b39592cc669d54189fce142d2f0cb76339e40-1311846441; classtype:trojan-activity; sid:19644; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.java119.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|java119|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=22c22435b3d5b69c75fe214714fd3cc37bb24b998809ae9089a7384a52850204-1311263776; classtype:trojan-activity; sid:19643; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tinaivanovic.sexy-serbian-girls.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tinaivanovic|12|sexy-serbian-girls|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=24a02143b7675197c3efbd37e1d0cb8e1908aff3d7480291d4d366c7fbc4e9b7-1305751287; classtype:trojan-activity; sid:19663; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain keshmoney.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|keshmoney|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=9bc71c92c509fc1c2012e970b17fb028aedf094b7dc73c8daa5174620e443d9c-1307482449; classtype:trojan-activity; sid:19662; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smellypussy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|smellypussy|04|info|00|"; fast_pattern:only; reference:url,ownedsecurity.blogspot.com/2011/06/smellypussyinfongrbot-very-large-irc.html; classtype:trojan-activity; sid:19664; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xzrw0q.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|xzrw0q|03|com|00|"; fast_pattern:only; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.virustotal.com/file-scan/report.html?id=9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440-1312768792; classtype:trojan-activity; sid:19738; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 770304123.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|770304123|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=c705119070ef76de3ff2667ecf59555d6b40bad38a4be4a586b936caafcf9c81-1311181595; classtype:trojan-activity; sid:19734; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qfsl.net - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|qfsl|03|net|00|"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19874; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jifr.net - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jifr|03|net|00|"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19879; rev:5;) # alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"DELETED BLACKLIST DNS query to DNSChanger malware IP address"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:21245; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buffet.servehttp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|buffet|09|servehttp|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:22096; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain okie.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|okie|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22537; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epi.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|epi|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22305; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gjjr.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gjjr|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22355; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain king-kl.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|king-kl|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22409; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drs.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|drs|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22289; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain paekl.gmailboxes.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|paekl|0A|gmailboxes|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22561; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain corp.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|corp|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22248; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain anglo.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|anglo|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22145; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hapyy2010.lflinkup.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|hapyy2010|08|lflinkup|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22367; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain house.gmailboxes.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|house|0A|gmailboxes|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22376; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-aa.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-aa|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22850; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.billten.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|07|billten|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22886; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctx.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ctx|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22265; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ins.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ins|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22390; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain test.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|test|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22697; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22473; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sotp.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sotp|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22664; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mfa.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mfa|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22484; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy2.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucy2|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22857; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao8.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao8|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22608; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bee.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bee|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22190; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain web.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|web|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22777; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iabk.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|iabk|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22381; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sfn.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sfn|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22640; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tod.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|tod|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22704; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shot.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|shot|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22641; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpvn.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wpvn|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22802; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sllaw.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sllaw|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22647; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|lucy|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22465; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sute.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sute|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22688; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sea001.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|sea001|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22633; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain picture.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|picture|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22572; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain workstation.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|workstation|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22797; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain control.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|control|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22243; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klotp.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klotp|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22429; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nis.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nis|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22529; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-piec.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-piec|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22733; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leets.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|leets|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22443; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moto.mefound.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|moto|07|mefound|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22494; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aar.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aar|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22122; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain westkl.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|westkl|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22789; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftp.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22340; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tx.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tx|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22709; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dfait-kl.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|dfait-kl|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22276; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain finekl.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|finekl|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22322; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mailserver.instanthq.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mailserver|09|instanthq|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22874; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www-conoco.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|www-conoco|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22815; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ne.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ne|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22506; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cac.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cac|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22206; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gdaa.ns02.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gdaa|04|ns02|04|info|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22349; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nature.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|nature|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22499; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.india-videoer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0D|india-videoer|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22843; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22824; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain itau.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|itau|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22399; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-asg.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-asg|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22713; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22895; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sports.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|sports|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22669; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ffej.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ffej|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22311; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain priv.dsmtp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|priv|05|dsmtp|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22592; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tape.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|tape|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22693; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain milk.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|milk|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22486; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ln.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ln|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22446; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao6.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao6|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22868; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wsyggfw.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|wsyggfw|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22805; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain finance.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|finance|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22318; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trip.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|trip|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22708; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain love.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|love|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22460; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain login.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|login|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22454; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klecca.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klecca|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22418; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctcn.dns2.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ctcn|04|dns2|02|us|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22261; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ddbb.gxdet.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ddbb|05|gxdet|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22885; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dcs.ygto.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dcs|04|ygto|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22269; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain friends.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|friends|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22336; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rcs.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|rcs|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22613; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apss.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|apss|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22156; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eye.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|eye|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22309; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 33bees.servebeer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|33bees|09|servebeer|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22118; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iscu.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|iscu|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22397; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chamus.gmailboxes.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|chamus|0A|gmailboxes|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22229; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcsc.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mcsc|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22481; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain india.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|india|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22384; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lw.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|lw|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22468; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.scitence.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|08|scitence|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22890; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain glx.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|glx|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22358; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22781; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wapi.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wapi|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22772; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adt.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|adt|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22131; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain servf.zyns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|servf|04|zyns|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22637; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klati.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klati|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22413; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stock.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|stock|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22683; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ccsukl.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ccsukl|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22222; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain copierexpert.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|copierexpert|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22247; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sports.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|sports|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22668; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bob.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bob|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22195; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-rio.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kl-rio|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22432; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao3.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao3|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22603; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apa.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|apa|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22149; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.busketball.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0A|busketball|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22516; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bda.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bda|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22189; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain knews.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|knews|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22438; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sip.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sip|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22644; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-cono.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-cono|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22721; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nci.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nci|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22502; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain finekl.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|finekl|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22323; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caaid.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|caaid|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22205; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gaca.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gaca|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22345; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ecc.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ecc|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22298; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ausi.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ausi|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22174; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slnoa.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slnoa|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22847; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wnam.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wnam|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22794; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gee.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|gee|08|safalife|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22899; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nat.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nat|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22498; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain safbejn.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|safbejn|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22624; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-pnl.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-pnl|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22735; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain afda.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|afda|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22136; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vpn.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vpn|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22767; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trb.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|trb|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22849; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain srs.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|srs|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22671; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loper.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|loper|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22459; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a-if.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|a-if|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22140; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adb.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|adb|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22126; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sys.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sys|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22692; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao3.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao3|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22865; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cov.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cov|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22250; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain songs.longmusic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|songs|09|longmusic|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22880; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iea.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|iea|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22382; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ssa.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ssa|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22674; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sea.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sea|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22634; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain techniq.whandjg.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|techniq|07|whandjg|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22896; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain phb.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|phb|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22571; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sky.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sky|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22646; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain otps.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|otps|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22546; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain research.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|research|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22617; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain afw.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|afw|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22137; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-cccc.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-cccc|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22718; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain contact.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|contact|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22242; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trb.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|trb|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22707; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hapyy2010.lflinkup.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|hapyy2010|08|lflinkup|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22837; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www1.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www1|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22808; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain world.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|world|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22798; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22387; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fnpc.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fnpc|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22333; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nhs.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nhs|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22528; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain engineer2010.mynumber.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|engineer2010|08|mynumber|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22302; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain snoopy.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|snoopy|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22658; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mfc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mfc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22485; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epi.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|epi|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22304; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao5.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao5|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22605; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hrsy.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hrsy|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22378; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain roger.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|roger|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22621; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 08elec.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|08elec|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22116; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-ccr.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-ccr|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22719; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctisk.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ctisk|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22264; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpcs.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wpcs|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22799; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain center.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|center|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22226; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bobo.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bobo|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22196; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|lucy|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22860; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22517; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22821; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain num.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|num|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22535; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ncsc.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ncsc|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22505; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-mfa.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kl-mfa|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22425; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-enrc.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-enrc|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22724; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain argentinia.faqserv.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|argentinia|07|faqserv|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22872; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fim.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fim|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22317; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain asis.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|asis|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22165; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain default.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|default|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22270; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jhd.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|jhd|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22405; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dns.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dns|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22279; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain up.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|up|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22746; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.india-videoer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|india-videoer|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22844; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mos.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mos|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22493; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smooth.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|smooth|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22655; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain finekl.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|finekl|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22321; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mpe.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mpe|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22496; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cow.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cow|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22252; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rj.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|rj|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22620; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aar.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aar|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22882; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-ga.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-ga|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22725; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aol.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aol|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22146; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ati2.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ati2|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22170; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flashingaway.otzo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashingaway|04|otzo|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22326; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain back.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|back|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22179; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-ati.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-ati|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22714; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain office.lflink.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|office|06|lflink|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22877; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klape.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klape|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22412; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftrj.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ftrj|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22341; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apa.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|apa|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22150; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain explorer.pcanywhere.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|explorer|0A|pcanywhere|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22308; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adtlk.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|adtlk|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22133; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sona.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sona|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22661; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pme.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pme|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22575; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-rev.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-rev|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22736; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qua.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qua|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22609; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sys.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sys|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22841; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sports.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|sports|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22869; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cool.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cool|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22246; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sbh.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sbh|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22630; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain service.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|service|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22638; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao4.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao4|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22604; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain utc.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|utc|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22752; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain spte.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|spte|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22670; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gege.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gege|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22352; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alarm.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|alarm|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22141; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain weather.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|weather|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22776; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sifcc.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sifcc|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22643; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bah.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bah|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22181; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain was.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|was|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22773; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dotnet.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dotnet|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22285; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mlls.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mlls|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22489; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-bdai.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-bdai|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22715; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain astone.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|astone|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22169; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wrim.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wrim|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22804; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain optimizon.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|optimizon|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22543; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aam.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aam|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22121; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22818; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcsc.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mcsc|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22480; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csupp.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|csupp|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22259; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fstl.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fstl|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22337; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain index.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|index|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22383; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nrfn.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nrfn|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22531; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22585; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newport.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|newport|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22512; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ceros.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ceros|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22228; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain part.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|part|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22563; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epod.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|epod|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22836; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-kfc.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-kfc|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22728; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cdd.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cdd|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22225; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vsec.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vsec|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22769; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klmfat.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klmfat|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22426; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain denel.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|denel|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22272; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jbei.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jbei|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22401; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lhd.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lhd|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22444; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucie.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucie|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22462; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.billten.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|07|billten|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22893; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22469; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fher.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fher|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22314; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arainfo.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|arainfo|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22160; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain date.gmailboxes.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|date|0A|gmailboxes|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22268; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain knab.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|knab|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22437; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kit.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|kit|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22410; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22513; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ssun.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ssun|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22679; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slutc.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slutc|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22654; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klwest.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klwest|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22435; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain soler.buisnessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|soler|10|buisnessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22660; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chq.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|chq|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22230; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bswt.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bswt|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22199; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wff.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wff|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22791; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain new.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|new|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22509; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buyer.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|buyer|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22203; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dsh.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dsh|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22290; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nci.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nci|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22501; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sos.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sos|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22848; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-care.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|kl-care|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22417; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain acu.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|acu|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22125; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ecc.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ecc|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22297; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain na.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|na|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22497; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www2.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22811; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain update.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22744; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fmcc.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fmcc|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22329; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hpd.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|hpd|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22377; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fineca.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|fineca|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22320; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mosfdns.ddns.ms"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mosfdns|04|ddns|02|ms|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22876; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fhh.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fhh|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22316; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain coco.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|coco|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22237; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22813; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nhsl.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nhsl|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22527; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fjod.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fjod|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22325; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qual.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|qual|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22610; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao6.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao6|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22606; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain built.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|built|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22200; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|caci|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22209; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-aeai.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-aeai|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22711; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hy.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|hy|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22379; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sav.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sav|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22629; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rouji.freespirit.acmetoy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|rouji|0A|freespirit|07|acmetoy|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22622; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain new.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|new|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22508; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain covclient.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|covclient|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22251; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yahoo.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yahoo|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22829; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alion.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|alion|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22143; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain armi.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|armi|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22164; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sysinfo.mynumber.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sysinfo|08|mynumber|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22881; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain we.trickip.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|we|07|trickip|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22790; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xtap.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|xtap|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22827; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain seoulsummit.ddns.ms"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|seoulsummit|04|ddns|02|ms|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22879; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a-af.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|a-af|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22120; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tape.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|tape|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22695; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sword.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|sword|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22690; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bot.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bot|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22197; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-tta.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-tta|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22741; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain daa.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|daa|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22267; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dev.teamattire.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dev|0A|teamattire|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22275; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gatu.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gatu|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22347; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain progress.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|progress|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22595; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22820; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22862; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain login.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|login|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22452; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vope.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vope|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22765; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-dfait.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ug-dfait|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22723; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smtp.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|smtp|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22657; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klenvi.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klenvi|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22420; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dod.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dod|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22283; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain admin.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|admin|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22129; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slrfc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slrfc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22650; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fnrn.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fnrn|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22334; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-rj.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-rj|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22737; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loading.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|loading|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22448; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.helpngr.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|07|helpngr|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22888; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain conn.gxdet.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|conn|05|gxdet|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22883; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epic.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|epic|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22303; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hill.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hill|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22370; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mko.busketball.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mko|0A|busketball|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22488; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nuk.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nuk|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22534; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain domain.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|domain|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22284; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klpiec.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klpiec|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22430; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cac.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cac|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22213; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wcov.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wcov|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22774; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nhs1.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nhs1|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22526; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-nema.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-nema|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22731; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ball.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ball|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22182; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gg.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|gg|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22353; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kliee.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|kliee|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22422; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-tree.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-tree|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22740; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22471; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22518; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adtkl.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|adtkl|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22132; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klbis.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klbis|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22415; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain irsg.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|irsg|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22396; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leets.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|leets|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22845; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sun.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sun|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22686; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wdeh.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wdeh|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22775; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 09back.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|09back|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22117; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain email.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|email|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22301; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-aaon.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-aaon|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22710; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpot.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wpot|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22800; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jhd.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|jhd|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22404; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ati.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ati|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22172; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lnz.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lnz|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22447; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ssa.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ssa|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22840; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ass.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ass|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22168; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cbc.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cbc|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22220; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ati.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ati|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22171; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain acli-mail.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|acli-mail|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22124; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xmer.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|xmer|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22826; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain citrix.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|citrix|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22233; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dyn.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dyn|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22295; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fwmo.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fwmo|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22343; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain psu.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|psu|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22599; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sope.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sope|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22662; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mor.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mor|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22492; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ppt.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ppt|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22590; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fher.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fher|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22313; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mailserver.sendsmtp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mailserver|08|sendsmtp|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22875; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apejack.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|apejack|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22151; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wnew.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wnew|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22795; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ever.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ever|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22307; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sls.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sls|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22653; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bbs.india-videoer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbs|0D|india-videoer|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22842; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-co.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-co|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22720; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-mbi.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-mbi|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22730; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-irpf.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-irpf|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22727; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain irs.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|irs|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22395; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain johntime.myftp.name"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|johntime|05|myftp|04|name|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22407; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tape.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|tape|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22694; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cib.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cib|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22231; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bksy.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bksy|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22192; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao4.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao4|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22866; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain utc.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|utc|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22753; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nci.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nci|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22504; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-rfc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kl-rfc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22431; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alcan.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|alcan|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22142; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22586; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain help.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|help|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22369; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-pmet.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-pmet|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22734; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hotel.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hotel|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22374; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpot.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wpot|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22801; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain release.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|release|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22615; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oppa.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|oppa|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22541; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22386; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctcs.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ctcs|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22263; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain usc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|usc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22750; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain merax.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|merax|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22483; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nousage.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|nousage|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22530; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-bdfa.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-bdfa|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22716; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klbis.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klbis|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22416; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao7.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao7|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22607; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pacific.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|pacific|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22560; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pcie.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pcie|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22566; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnsg.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dnsg|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22280; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain log.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|log|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22450; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www2.wikaba.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|06|wikaba|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22812; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fstl.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fstl|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22338; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain onk.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|onk|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22539; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stell.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|stell|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22680; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22783; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klnrdc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klnrdc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22427; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csba.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|csba|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22256; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bbh.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbh|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22187; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fmp.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fmp|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22331; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain test.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|test|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22699; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cdcd.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cdcd|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22224; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cook.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cook|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22245; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ysb.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ysb|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22835; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain scc.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|scc|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22631; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain glj.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|glj|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22356; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mailsrv.scitence.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mailsrv|08|scitence|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22892; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain spahi.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|spahi|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22666; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain think.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|think|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22702; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy2.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucy2|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22463; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sisc.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sisc|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22645; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kmhl.mrbonus.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|kmhl|07|mrbonus|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22436; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao1.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao1|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22601; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-vfw.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kl-vfw|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22434; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain carpgallery.longmusic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|carpgallery|09|longmusic|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22217; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bphb.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bphb|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22198; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apekl.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|apekl|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22152; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rsut.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rsut|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22623; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lawste.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|lawste|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22442; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain climate.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|climate|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22234; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22474; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-opm.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-opm|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22732; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klbar.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|klbar|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22414; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rouji.freespirit.acmetoy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|rouji|0A|freespirit|07|acmetoy|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22846; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jfs.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|jfs|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22403; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klnrdc.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klnrdc|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22428; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain value.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|value|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22755; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-sbig.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ug-sbig|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22739; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gmail.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|gmail|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22359; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fher.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fher|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22315; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain crab.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|crab|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22254; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain contact.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|contact|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22240; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fine.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fine|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22324; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain what.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|what|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22792; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-ag.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-ag|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22712; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain max.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|max|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22479; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.new-soho.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|08|new-soho|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22889; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain business.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|business|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22201; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain home.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|home|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22371; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain happy.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|happy|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22366; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hy.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|hy|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22380; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stulaw.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|stulaw|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22684; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain orca.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|orca|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22544; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao1.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao1|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22863; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slnoa.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slnoa|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22649; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain amne.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|amne|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22144; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bhbt.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bhbt|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22191; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slnoa.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slnoa|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22648; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain web.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|web|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22778; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shot.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|shot|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22642; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tclient.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tclient|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22696; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cacq.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cacq|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22212; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-rj.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ug-rj|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22738; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sos.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sos|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22663; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nhc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|nhc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22525; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain weblog.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|weblog|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22780; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rice.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rice|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22619; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22839; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wopec.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wopec|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22796; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwab.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wwab|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22806; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ins.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ins|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22389; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ago.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ago|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22139; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.scitence.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|08|scitence|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22894; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dgih.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dgih|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22277; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain doa.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|doa|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22282; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stuwal.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|stuwal|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22685; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain egcc.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|egcc|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22300; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22816; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain free.gmailboxes.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|free|0A|gmailboxes|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22335; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain local.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|local|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22449; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nucor001.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nucor001|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22533; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.optimizon.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|optimizon|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22851; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain culture.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|culture|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22266; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-knab.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|kl-knab|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22423; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bat.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bat|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22183; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cok.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cok|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22238; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mini.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mini|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22487; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.new-soho.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|08|new-soho|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22891; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saf.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|saf|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22626; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain prc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|prc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22591; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|lucy|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22467; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain logs.chileexe77.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|logs|0A|chileexe77|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22456; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cdc01.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cdc01|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22223; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iri.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|iri|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22394; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cowboy.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|cowboy|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22253; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kluscc.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kluscc|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22433; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain think.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|think|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22701; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain proc.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|proc|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22594; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ffej.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ffej|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22312; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22470; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-hst.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-hst|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22726; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|yang|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22832; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bll.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bll|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22193; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fed.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fed|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22310; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22515; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain koa.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|koa|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22439; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kllhd.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|kllhd|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22424; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buz.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|buz|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22204; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fwmo.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fwmo|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22344; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain db.billten.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|db|07|billten|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22884; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ncih.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ncih|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22503; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain house.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|house|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22375; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain host.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|host|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22372; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dias.globalowa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dias|09|globalowa|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22278; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epaserver.toythieves.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|epaserver|0A|toythieves|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22873; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain update.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|update|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22745; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flucare.worthhummer.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|flucare|0B|worthhummer|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22327; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www2.wikaba.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|06|wikaba|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22912; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwww.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wwww|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22823; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dvn.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dvn|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22294; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain texc.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|texc|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22700; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain san.www1.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|san|04|www1|03|biz|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22878; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain owa.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|owa|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22557; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain owa.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|owa|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22556; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22784; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain usc.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|usc|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22749; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain johnbell.longmusic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|johnbell|09|longmusic|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22406; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain walk.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|walk|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22771; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vope.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vope|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22907; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao2.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao2|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22602; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-volpe.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ug-volpe|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22742; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sw.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sw|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22689; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain af.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|af|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22135; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.whandjg.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|07|whandjg|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22898; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain srs.dnsweb.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|srs|06|dnsweb|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22672; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|caci|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22211; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kl-hqun.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|kl-hqun|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22421; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syn.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|syn|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22691; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ope.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ope|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22540; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain doa.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|doa|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22856; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain car1.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|car1|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22216; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klecca.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klecca|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22419; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao5.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao5|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22867; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-man.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-man|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22729; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain green.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|green|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22361; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-cti.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-cti|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22722; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qiao2.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|qiao2|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22864; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ug-bpd.hugesoft.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ug-bpd|08|hugesoft|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22717; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wmp.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wmp|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22793; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain epod.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|epod|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22306; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oliver.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|oliver|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22538; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain train.newsonet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|train|08|newsonet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22705; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newport.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|newport|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22510; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a-bne.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|a-bne|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22123; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain psu.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|psu|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22598; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aps.bigdepression.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aps|0D|bigdepression|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22155; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain scc.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|scc|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22632; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain down.safalife.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|down|08|safalife|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22287; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctcn.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ctcn|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22262; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22838; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fmp.bigish.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fmp|06|bigish|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22330; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fnem.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|fnem|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22332; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain media.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|media|0B|purpledaily|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22482; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain indian.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|indian|0C|arrowservice|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22385; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csc.businessconsults.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|csc|10|businessconsults|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22257; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slade.safehousenumber.com - Mal/Rimecud-R"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slade|0F|safehousenumber|03|com|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailed-analysis.aspx; classtype:trojan-activity; sid:22958; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain portal.roomshowerbord.com - Mal/EncPk-ADU"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|portal|0E|roomshowerbord|03|com|00|"; fast_pattern:only; reference:url,www.threatexpert.com/report.aspx?md5=d3d6f87d8f8e3dd5c2793d5a1d3ca7ca; classtype:trojan-activity; sid:22960; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flushdns.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|flushdns|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23068; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ultrasoft.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ultrasoft|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23084; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chchengine.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|chchengine|03|com|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23063; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain chchengine.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|chchengine|03|net|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23064; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serverss.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|serverss|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23078; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serveflash.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|serveflash|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23077; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rsscenter.webhop.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|rsscenter|06|webhop|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23076; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bannerspot.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bannerspot|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23061; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain micromedia.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|micromedia|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23071; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e.ppift.com - Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|e|05|ppift|03|com|00|"; fast_pattern:only; reference:url,www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A#techdetails_link; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Fipp-A/detailed-analysis.aspx; classtype:trojan-activity; sid:23454; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rewt.ru - W32.DorkBot-S"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rewt|02|ru|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~DorkBot-S/detailed-analysis.aspx; classtype:trojan-activity; sid:24033; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lolcantpwnme.net - W32.DorkBot-S"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lolcantpwnme|03|net|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~DorkBot-S/detailed-analysis.aspx; classtype:trojan-activity; sid:24032; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain api.wipmania.com - Troj.Dorkbot-AO"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|api|08|wipmania|03|com"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Dorkbot-AO/detailed-analysis.aspx; classtype:trojan-activity; sid:24031; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpwp525.3322.org - Trojan-.Radil"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"wpwp525|04|3322|03|org"; reference:url,www.virustotal.com/file/8c50bf99178cee6e6cb09325ac7a56e00426ff9db90b45e13ce2c5b491db0a80/analysis/; classtype:trojan-activity; sid:24009; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.couchness.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|09|couchness|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24852; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdated.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdated|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24843; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdates.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdates|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24849; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpchecks.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0A|helpchecks|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24850; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sureshreddy1.dns05.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"sureshreddy1|05|dns05|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/dce3412caecdb1c4959adb5794bbe3b69348b26b97360ef262acf5fd2c0dfa2c/analysis/; classtype:trojan-activity; sid:24859; rev:2;) # alert udp any any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain losang.dynamicdns.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"losang|0A|dynamicdns|02|co|02|uk"; fast_pattern:only; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; reference:url,www.virustotal.com/file/1567389c8365c09b3d7833c4a5dedcc968b9b5f3f34a52f44f22b3666ef1768a/analysis/; classtype:trojan-activity; sid:25069; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msonlineupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|msonlineupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25426; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain svchost-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|svchost-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25436; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|microsoftupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25417; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain windows-genuine.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|windows-genuine|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25440; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain genuineservicecheck.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|genuineservicecheck|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25413; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain os-microsoft-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|os-microsoft-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25432; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nt-windows-online.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|nt-windows-online|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25429; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wingenuine.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wingenuine|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25443; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csrss-check-new.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|csrss-check-new|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25401; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msgenuine.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|msgenuine|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:25422; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain new-driver-upgrade.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|new-driver-upgrade|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25427; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mobile-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|mobile-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25418; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nt-windows-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|nt-windows-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25430; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wins-driver-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|wins-driver-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25444; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain update-genuine.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|update-genuine|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25437; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msonlinecheck.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|msonlinecheck|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25424; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nt-windows-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|nt-windows-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25428; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain svchost-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|svchost-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25434; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dll-host.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|dll-host|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25407; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoft-msdn.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|microsoft-msdn|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25415; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain os-microsoft-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|os-microsoft-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25431; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ms-software-genuine.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|ms-software-genuine|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25420; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain genuineupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|genuineupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25414; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wins-driver-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|wins-driver-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25445; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ms-software-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|ms-software-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25419; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csrss-upgrade-new.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|csrss-upgrade-new|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25403; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain svchost-online.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|svchost-online|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25435; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msonlineget.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msonlineget|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25425; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dll-host-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|dll-host-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25406; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain win-driver-upgrade.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|win-driver-upgrade|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25439; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain windowsonlineupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|windowsonlineupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25442; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csrss-update-new.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|csrss-update-new|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25402; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ms-software-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|ms-software-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25421; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain default.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|default|0C|arrowservice|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:26141; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain usapappers.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|usapappers|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26150; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www2.wikaba.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|06|wikaba|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26153; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zgrshy.zyns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|zgrshy|04|zyns|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26154; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain opp.coastmaritime.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|opp|0D|coastmaritime|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:26147; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dec.globalsecuriy.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dec|0D|globalsecuriy|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:26140; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ppt.ezua.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ppt|04|ezua|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26149; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ope.coastmaritime.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ope|0D|coastmaritime|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:26146; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain micyuisyahooapis.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|micyuisyahooapis|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26145; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arm.armed.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|arm|05|armed|02|us|00|"; fast_pattern:only; classtype:trojan-activity; sid:26139; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain opp.globalsecuriy.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|opp|0D|globalsecuriy|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:26148; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.globalsecuriy.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|globalsecuriy|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:26152; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zgrshy11.zyns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|zgrshy11|04|zyns|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26156; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain klwest.purpledaily.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|klwest|0B|purpledaily|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26144; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.arrowservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0C|arrowservice|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:26151; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zgrshy10.zyns.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|zgrshy10|04|zyns|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26155; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gao.gaokew.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|gao|06|gaokew|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26143; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftUpdate.ns1.name"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|microsoftUpdate|03|ns1|04|name|00|"; fast_pattern:only; classtype:trojan-activity; sid:26603; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain androfox.tk - Andr.Trojan.Obad"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|androfox|02|tk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ba1d6f317214d318b2a4e9a9663bc7ec867a6c845affecad1290fd717cc74f29/analysis/; classtype:trojan-activity; sid:27066; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain scari-elegante.ro - Yakes Trojan"; flow:to_server; content:"|0E|scari-elegante|02|ro|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27146; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vpen.abacocafe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vpen|09|abacocafe|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fe4985b13b2270c0e71a2c0755a22c17bba968ac66b94899fe6dccc22aacbd54/analysis/; classtype:trojan-activity; sid:27653; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pens.abacocafe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pens|09|abacocafe|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fe4985b13b2270c0e71a2c0755a22c17bba968ac66b94899fe6dccc22aacbd54/analysis/; classtype:trojan-activity; sid:27652; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pen.abacocafe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pen|09|abacocafe|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fe4985b13b2270c0e71a2c0755a22c17bba968ac66b94899fe6dccc22aacbd54/analysis/; classtype:trojan-activity; sid:27651; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cdn.abacocafe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cdn|09|abacocafe|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fe4985b13b2270c0e71a2c0755a22c17bba968ac66b94899fe6dccc22aacbd54/analysis/; classtype:trojan-activity; sid:27650; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain software.myftp.info - Win.Trojan.Tartober"; flow:to_server; byte_test:1,!&,0xF8,2; content:"software|05|myftp|04|info"; fast_pattern:only; reference:url,www.virustotal.com/en/file/143160f9d34f9e23433b78c2c820906d2814ac17ce625bec423ee547290f1184/analysis/; classtype:trojan-activity; sid:27698; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain service-update.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|service-update|03|net|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27953; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fullstatistic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|fullstatistic|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27950; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sarmayebux.ir"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sarmayebux|02|ir|00|"; fast_pattern:only; classtype:trojan-activity; sid:28053; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain karder.ws"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|karder|02|ws|00|"; fast_pattern:only; classtype:trojan-activity; sid:28078; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain filenethost.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|filenethost|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:28142; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain catlovers.25u.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|catlovers|03|25u|03|com|00|"; fast_pattern:only; reference:cve,2012-0158; classtype:trojan-activity; sid:28481; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain liumingzhen.myftp.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|liumingzhen|05|myftp|03|org|00|"; fast_pattern:only; reference:cve,2012-0158; classtype:trojan-activity; sid:28480; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain liumingzhen.zapto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|liumingzhen|05|zapto|03|org|00|"; fast_pattern:only; reference:cve,2012-0158; classtype:trojan-activity; sid:28479; rev:3;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DELETED BLACKLIST DNS reverse lookup response to malicious domain .dataclub.biz - Win.Trojan.Bunitu.G"; flow:to_client; content:"|08|dataclub|03|biz"; fast_pattern:only; classtype:trojan-activity; sid:28950; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain havingbeothers.co.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|havingbeothers|02|co|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:28939; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain appropriations.co.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|appropriations|02|co|02|cc|00|"; fast_pattern:only; classtype:trojan-activity; sid:28938; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain api.ibario.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|api|06|ibario|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/api.ibario.com/information/; classtype:trojan-activity; sid:28933; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kjyg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|kjyg|03|com|00|"; fast_pattern:only; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29022; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 4pu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|4pu|03|com|00|"; fast_pattern:only; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29020; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain idyno.com.au"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|idyno|03|com|02|au|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/idyno.com.au/information/; classtype:trojan-activity; sid:28992; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - www.jeyansu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|jeyansu|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b2b35b1d958999ad258deecfd02074c425e778f266c07641795cc362c5b8eeb4/analysis/; classtype:trojan-activity; sid:29043; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ucoz.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ucoz|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ucoz.ru/information/; classtype:trojan-activity; sid:29122; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mode.narod.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mode|05|narod|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/mode.narod.ru/information/; classtype:trojan-activity; sid:29121; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain installmonster.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|installmonster|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/installmonster.ru/information/; classtype:trojan-activity; sid:29120; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain counter.yadro.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|counter|05|yadro|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/counter.yadro.ru/information/; classtype:trojan-activity; sid:29119; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newip.zgpmsj.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|newip|06|zgpmsj|03|com"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b96f9ea18222f50ddc5b40d2d9916c42f3f531fe9af0f1ba9f0422556f6c3727/analysis/; classtype:trojan-activity; sid:29089; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iframe.ip138.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|iframe|05|ip138|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b96f9ea18222f50ddc5b40d2d9916c42f3f531fe9af0f1ba9f0422556f6c3727/analysis/; classtype:trojan-activity; sid:29088; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain imlang.phmail.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|imlang|06|phmail|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5ba8c42807bee050aa474fe3c876936d196c65dca9895ccd2e317133188c905e/analysis/; classtype:trojan-activity; sid:29086; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cpnet.phmail.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cpnet|06|phmail|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5ba8c42807bee050aa474fe3c876936d196c65dca9895ccd2e317133188c905e/analysis/; classtype:trojan-activity; sid:29085; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain silence.phdns01.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|silence|07|phdns01|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5ba8c42807bee050aa474fe3c876936d196c65dca9895ccd2e317133188c905e/analysis/; classtype:trojan-activity; sid:29084; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hackboomteam.100webspace.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|hackboomteam|0B|100webspace|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3d0d0376d32ebfd2b3ed66d66ae47521b3266b895528e97133eeae6b0f6e9c5d/analysis/; classtype:trojan-activity; sid:29078; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - filedc.ygto.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|filedc|04|ygto|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0754c283725a6cc8d63208c1f8330bed32c21d356971095156e75013ef5c45a5/analysis/; classtype:trojan-activity; sid:29070; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - newfile.ocry.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|newfile|04|ocry|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0754c283725a6cc8d63208c1f8330bed32c21d356971095156e75013ef5c45a5/analysis/; classtype:trojan-activity; sid:29069; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain - mmzo.dyndns.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mmzo|06|dyndns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/44732b30c2d45a21368f8ac07069dac178315acec40c119897705225c3afbfd7/analysis/; classtype:trojan-activity; sid:29067; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for Baidu IME keystroke logger"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cloud|03|ime|05|baidu|02|jp|00|"; fast_pattern:only; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:attempted-recon; sid:29323; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain voxility.net - Win.Trojan.Dropper"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|voxility|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29377; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain posterminalworld.la"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|posterminalworld|02|la|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/; classtype:trojan-activity; sid:29415; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain support.byinter.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|support|07|byinter|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29482; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain status.acmetoy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|status|07|acmetoy|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29481; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stag_web.IsGre.at"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|stag_web|05|IsGre|02|at|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29480; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pader_web.Lookin.At"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|pader_web|06|Lookin|02|At|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29478; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mof_web.LowestPrices.At"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mof_web|0C|LowestPrices|02|At|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29477; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain inno-tech.IsGre.at"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|inno-tech|05|IsGre|02|at|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29476; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gfans.onmypc.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|gfans|06|onmypc|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29475; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fscey_web.LowestPrices.At"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|fscey_web|0C|LowestPrices|02|At|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29474; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain finance.yesplusno.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|finance|09|yesplusno|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29473; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dcic_web.MyRedirect.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|dcic_web|0A|MyRedirect|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29472; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cht.strangled.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cht|09|strangled|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29471; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arf.dns1.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|arf|04|dns1|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29470; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adobeupdater3.IsGre.at"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|adobeupdater3|05|IsGre|02|at|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29469; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nasarigroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|nasarigroup|03|com|00|"; fast_pattern:only; reference:url,malwr.com/analysis/M2IxYWE5NzVlNTg2NGYyNTgzNGEzOTdhMDc4NTIyODQ/; classtype:trojan-activity; sid:29458; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 0zz0.com - Win.Trojan.Napolar"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|0zz0|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29867; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xpg.com.br - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|xpg|03|com|02|br"; fast_pattern:only; reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9d55fbb2e42fd640fee1eac/analysis; classtype:trojan-activity; sid:30197; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hydrabad-ur.ddns.net - JavaAgent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hydrabad-ur|04|ddns|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:31989; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain synergy-dev.sytes.net - Worm.MSIL.Mafusc.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|synergy-dev|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/2902b3f3895f025b86e94f16c01738da2c10b54da76c1dad12a4d50dab051224/analysis/; classtype:trojan-activity; sid:33965; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain publicnews.mooo.com - Backdoor.Briba"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|publicnews|04|mooo|03|com|00|"; fast_pattern:only; reference:cve,2012-1535; reference:url,anubis.iseclab.org/?action=result&task_id=1fbaec06ba83c7f2481fcb8badf31001a; classtype:trojan-activity; sid:23904; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.886.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|03|886|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18272; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain koonol.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|koonol|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18270; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnf.6bom.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dnf|04|6bom|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18269; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.dd0415.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|dd0415|03|net|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18185; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnf.gametime.co.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dnf|08|gametime|02|co|02|kr|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18184; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.yisaa.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|yisaa|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18163; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.soanala.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|soanala|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18159; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.shzhaotian.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0A|shzhaotian|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18158; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.quyou365.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|quyou365|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18157; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.pxflm.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|pxflm|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18156; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.pplog.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|pplog|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18155; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.nc57.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|04|nc57|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18154; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.mainhu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|mainhu|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18152; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.jxbaike.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|jxbaike|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18150; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.haosf08.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|haosf08|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18149; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.haoleyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|haoleyou|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18148; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.gev.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|03|gev|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18147; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.gdfp365.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|gdfp365|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18146; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.fp360.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|fp360|03|net|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18145; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.fp0769.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|fp0769|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18144; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.fp0755.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|fp0755|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18143; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.eastadmin.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|eastadmin|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18142; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.dspenter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|dspenter|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18141; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.cqtjg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|cqtjg|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18140; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.china-aoben.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|china-aoben|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18139; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.chateaulegend.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|chateaulegend|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18138; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.66xihu.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|66xihu|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18136; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.555hd.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|555hd|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18135; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.551sf.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|551sf|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18134; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.001zs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|001zs|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18133; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.wwmei.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|wwmei|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18130; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.univus.co.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|univus|02|co|02|kr|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18127; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.tpydb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|tpydb|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18125; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.sijianfeng.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0A|sijianfeng|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18124; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.opusgame.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|opusgame|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18122; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.iwebdy.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|iwebdy|03|net|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18120; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ilbondrama.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0A|ilbondrama|03|net|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18119; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.cineseoul.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|cineseoul|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18117; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.bnbsoft.co.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|bnbsoft|02|co|02|kr|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18116; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ajs2002.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|ajs2002|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18115; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.5fqq.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|04|5fqq|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18114; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for Hola VPN domain hola.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hola|03|org|00|"; fast_pattern:only; classtype:policy-violation; sid:37307; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|g5wcesdfjzne7255|05|onion|02|to"; classtype:trojan-activity; sid:40210; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cinebergen|02|nl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/910a04313949a4398bb3f352af54e566a7cfd7f0df610a1697c4b4f158113cdd/analysis/; classtype:trojan-activity; sid:32032; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|somee|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/somee.com/information/; classtype:trojan-activity; sid:32200; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hesneclimi.ru - Packed.Win32.Krap.ae"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hesneclimi|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16887; classtype:trojan-activity; sid:16887; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sx21.e4578.com - Trojan.Win32.Scar.ccqb"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sx21|05|e4578|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16898; classtype:trojan-activity; sid:16898; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bedayton.com - Trojan-Downloader.Win32.Agent.dlhe"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bedayton|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16846; classtype:trojan-activity; sid:16846; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain postmetoday.ru - Packed.Win32.Katusha.j"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|postmetoday|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16872; classtype:trojan-activity; sid:16872; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ra03.e5732.com - Trojan-Clicker.Win32.Small.afg"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ra03|05|e5732|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16836; classtype:trojan-activity; sid:16836; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain phaizeipeu.ru - Packed.Win32.Krap.gx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|phaizeipeu|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16862; classtype:trojan-activity; sid:16862; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain livetrust.info - Trojan-Spy.Win32.Zbot.akku"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|livetrust|04|info|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16907; classtype:trojan-activity; sid:16907; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain c.softdowns.info - Trojan.BAT.Agent.yn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|c|09|softdowns|04|info|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16876; classtype:trojan-activity; sid:16876; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reward.pnshop.co.kr - Backdoor.Win32.Agent.ahra"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|reward|06|pnshop|02|co|02|kr|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16896; classtype:trojan-activity; sid:16896; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sex-gifts.ru - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sex-gifts|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16881; classtype:trojan-activity; sid:16881; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ophaeghaev.ru - Trojan-Spy.Win32.Zbot.akmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ophaeghaev|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16874; classtype:trojan-activity; sid:16874; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain d.123kuaihuo.com - Trojan.Win32.Scar.clbx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|d|0A|123kuaihuo|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16855; classtype:trojan-activity; sid:16855; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rx11.e6532.com - Trojan.Win32.Opeg.a"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rx11|05|e6532|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16840; classtype:trojan-activity; sid:16840; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 1.7zsm.com - Trojan-Downloader.Win32.Agent.dtuo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|1|04|7zsm|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16843; classtype:trojan-activity; sid:16843; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cnfg.maxsitesrevenues.net - Trojan.Win32.BHO.afke"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cnfg|10|maxsitesrevenues|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16865; classtype:trojan-activity; sid:16865; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain solo1928.ru - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|solo1928|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16891; classtype:trojan-activity; sid:16891; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain babah20122012.com - Trojan-Spy.Win32.Zbot.akbb"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|babah20122012|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16909; classtype:trojan-activity; sid:16909; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rc04.e6532.com - Trojan-Downloader.Win32.Genome.awld"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rc04|05|e6532|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16845; classtype:trojan-activity; sid:16845; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fg545633.host.zgridc.com - Trojan.Win32.Pincav.abub"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fg545633|04|host|06|zgridc|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16892; classtype:trojan-activity; sid:16892; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain teendx.com - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|teendx|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16863; classtype:trojan-activity; sid:16863; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain forelc.cc - Trojan-Ransom.Win32.XBlocker.ahe"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|forelc|02|cc|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16851; classtype:trojan-activity; sid:16851; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain parfaitpournous.com - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|parfaitpournous|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16871; classtype:trojan-activity; sid:16871; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain charter-x.biz - Packed.Win32.Krap.ae"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|charter-x|03|biz|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16858; classtype:trojan-activity; sid:16858; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sh16.e8753.com - Trojan.Win32.Scar.ccqb"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sh16|05|e8753|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16839; classtype:trojan-activity; sid:16839; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vopret.ru - Trojan.Win32.FraudPack.axwn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|vopret|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16878; classtype:trojan-activity; sid:16878; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mcafee-registry.ru - Trojan-Spy.Win32.Zbot.akgb"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|mcafee-registry|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16883; classtype:trojan-activity; sid:16883; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain up1.free-sms.co.kr - Trojan.Win32.Vilsel.akp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|up1|08|free-sms|02|co|02|kr|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16875; classtype:trojan-activity; sid:16875; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dangercheats.com.br - Trojan.Win32.Refroso.arnq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|dangercheats|03|com|02|br|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16837; classtype:trojan-activity; sid:16837; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pattern - 0-0-0-0-0-0-0.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|0-0-0-0-0-0-0|04|info"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16910; classtype:trojan-activity; sid:16910; rev:10;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rm08.e4562.com - Trojan-Downloader.Win32.Agent.dngx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rm08|05|e4562|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16844; classtype:trojan-activity; sid:16844; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bits4ever.ru - Trojan-Spy.Win32.Zbot.aknt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|bits4ever|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16884; classtype:trojan-activity; sid:16884; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain local.1140.co.kr - Trojan-Downloader.Win32.Genome.aobm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|local|04|1140|02|co|02|kr|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16901; classtype:trojan-activity; sid:16901; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain exe.146843.com - Trojan.Win32.Opeg.a"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|exe|06|146843|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16835; classtype:trojan-activity; sid:16835; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rz12.e6805.com - Trojan-Downloader.Win32.Genome.awld"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rz12|05|e6805|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16847; classtype:trojan-activity; sid:16847; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ddkom.biz - Trojan.Win32.Scar.ckhr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ddkom|03|biz|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16877; classtype:trojan-activity; sid:16877; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ootaivilei.ru - Trojan-Spy.Win32.Zbot.akme"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ootaivilei|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16908; classtype:trojan-activity; sid:16908; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain re05.e6532.com - Trojan-Downloader.Win32.Genome.awld"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|re05|05|e6532|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16849; classtype:trojan-activity; sid:16849; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain in6cs.com - Trojan.Win32.Tdss.beea"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|in6cs|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16890; classtype:trojan-activity; sid:16890; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kldmten.net - Trojan-Spy.Win32.Zbot.akra"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|kldmten|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16850; classtype:trojan-activity; sid:16850; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vh26.e4578.com - Trojan.Win32.Opeg.a"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vh26|05|e4578|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16853; classtype:trojan-activity; sid:16853; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xlm.ppvsr.com - Trojan-GameThief.Win32.OnLineGames.wwcf"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|xlm|05|ppvsr|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16838; classtype:trojan-activity; sid:16838; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnfpomo.dnfranran.com - Trojan-GameThief.Win32.OnLineGames.bnkx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnfpomo|09|dnfranran|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16879; classtype:trojan-activity; sid:16879; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain podgorz.org - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|podgorz|03|org|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16841; classtype:trojan-activity; sid:16841; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alodh.in - Backdoor.Win32.Delf.vde"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|alodh|02|in|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16895; classtype:trojan-activity; sid:16895; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 111.168lala.com - Backdoor.Win32.Popwin.cyn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|111|07|168lala|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16882; classtype:trojan-activity; sid:16882; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sp19.e4578.com - Trojan-Downloader.Win32.Genome.njz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|sp19|05|e4578|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16842; classtype:trojan-activity; sid:16842; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain taiping2033.2288.org - Trojan-Downloader.Win32.Selvice.afy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|taiping2033|04|2288|03|org|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16864; classtype:trojan-activity; sid:16864; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain primusdns.ru - Backdoor.Win32.Havar.eh"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|primusdns|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-16893; classtype:trojan-activity; sid:16893; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pyow.prixi-soft.ir"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pyow|0A|prixi-soft|02|ir|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17895; classtype:trojan-activity; sid:17895; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.collectionerrorreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|15|collectionerrorreport|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17887; classtype:trojan-activity; sid:17887; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mummimpegs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mummimpegs|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17873; classtype:trojan-activity; sid:17873; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.moneytw8.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|moneytw8|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17897; classtype:trojan-activity; sid:17897; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kingsizematures.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kingsizematures|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17858; classtype:trojan-activity; sid:17858; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bestkind.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bestkind|02|ru|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17891; classtype:trojan-activity; sid:17891; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 343.boolans.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|343|07|boolans|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17834; classtype:trojan-activity; sid:17834; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aebankonline.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|aebankonline|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17866; classtype:trojan-activity; sid:17866; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xxsmovies.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xxsmovies|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17837; classtype:trojan-activity; sid:17837; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.spamature.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|spamature|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17886; classtype:trojan-activity; sid:17886; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trojan8.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|trojan8|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17870; classtype:trojan-activity; sid:17870; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trumpetlicks.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|trumpetlicks|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17846; classtype:trojan-activity; sid:17846; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 67.201.36.16"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|67|03|201|02|36|02|16|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17828; classtype:trojan-activity; sid:17828; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dommonview.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dommonview|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17853; classtype:trojan-activity; sid:17853; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www3.sexown.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www3|06|sexown|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17872; classtype:trojan-activity; sid:17872; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain edrichfinearts.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|edrichfinearts|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17831; classtype:trojan-activity; sid:17831; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pornfucklist.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pornfucklist|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17850; classtype:trojan-activity; sid:17850; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain promotds.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|promotds|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17859; classtype:trojan-activity; sid:17859; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gbsup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|gbsup|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17836; classtype:trojan-activity; sid:17836; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.zxc0001.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|zxc0001|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17893; classtype:trojan-activity; sid:17893; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cheaps1.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|cheaps1|04|info|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17826; classtype:trojan-activity; sid:17826; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain extralargevideos.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|extralargevideos|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17843; classtype:trojan-activity; sid:17843; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fucktosky.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|fucktosky|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17881; classtype:trojan-activity; sid:17881; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ajie520.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|ajie520|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17889; classtype:trojan-activity; sid:17889; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tubexxxmatures.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|tubexxxmatures|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17864; classtype:trojan-activity; sid:17864; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cfg.353wanwan.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|cfg|09|353wanwan|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17879; classtype:trojan-activity; sid:17879; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain waytoall.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|waytoall|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17885; classtype:trojan-activity; sid:17885; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain game.685faiudeme.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|game|0B|685faiudeme|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17851; classtype:trojan-activity; sid:17851; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.derquda.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|derquda|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17844; classtype:trojan-activity; sid:17844; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuckfuckvids.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fuckfuckvids|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17856; classtype:trojan-activity; sid:17856; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ketsymbol.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ketsymbol|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17821; classtype:trojan-activity; sid:17821; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain extrahotx.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|extrahotx|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17842; classtype:trojan-activity; sid:17842; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain f19dd4abb8b8bdf2.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|f19dd4abb8b8bdf2|02|cn|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17874; classtype:trojan-activity; sid:17874; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain streq.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|streq|02|cn|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17894; classtype:trojan-activity; sid:17894; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain teenxmovs.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|teenxmovs|03|net|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17824; classtype:trojan-activity; sid:17824; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xpresdnet.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xpresdnet|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17835; classtype:trojan-activity; sid:17835; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gimmemyporn.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|gimmemyporn|03|com|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-17884; classtype:trojan-activity; sid:17884; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qq.sbwanwan.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|qq|08|sbwanwan|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18086; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.hao1345.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|hao1345|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18092; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 863.dclsba.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|863|06|dclsba|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18083; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.comstelecom.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|comstelecom|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18090; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 3q.sbwanwan.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|3q|08|sbwanwan|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18082; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain whysohardx.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|whysohardx|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18259; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain protectyourpc-11.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|protectyourpc-11|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18252; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain checkserverstux.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|checkserverstux|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18254; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain freenetgameonline.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|freenetgameonline|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18260; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blogsmonitoringservice.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|16|blogsmonitoringservice|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18253; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tutubest.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|tutubest|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18256; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ilo.brenz.pl - Win.Trojan.Ramnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ilo|05|brenz|02|pl|00|"; fast_pattern:only; reference:url,snort.org/rule_docs/1-18492; classtype:trojan-activity; sid:18492; rev:9;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain antispydot.com - Win32/Cybot.B"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|antispydot|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:trojan-activity; sid:19470; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain u101mnuy2k.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|u101mnuy2k|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19544; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rukkeianno.in - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rukkeianno|02|in|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19539; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gd6a15ja813.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|gd6a15ja813|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19517; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 01n02n4cx00.cc - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|01n02n4cx00|02|cc|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19496; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 4tag16ag100.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|4tag16ag100|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19505; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cap01tchaa.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cap01tchaa|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19513; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zna81udha01.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|zna81udha01|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19547; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nichtadden.in - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nichtadden|02|in|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19535; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lkaturi71.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lkaturi71|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19529; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jna0-0akq8x.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jna0-0akq8x|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19520; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rukkeianno.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rukkeianno|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19538; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 4gat16ag100.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|4gat16ag100|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19504; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain neywrika.in - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|neywrika|02|in|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19534; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kangojjm1.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kangojjm1|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19524; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lkaturl71.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lkaturl71|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19531; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xx87lhfda88.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|xx87lhfda88|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19545; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain i0m71gmak01.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|i0m71gmak01|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19518; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 86b6b6b6.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|86b6b6b6|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19510; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rukkieanno.in - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|rukkieanno|02|in|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19540; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 01n02n4cx00.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|01n02n4cx00|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19497; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 01n20n4cx00.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|01n20n4cx00|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19498; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cap0itchaa.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cap0itchaa|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19514; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nyewrika.in - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nyewrika|02|in|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19537; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zz87ihfda88.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|zz87ihfda88|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19548; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 1l1i16b0.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|1l1i16b0|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19502; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 7uagr15eb71.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|7uagr15eb71|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19509; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lj1i16b0.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|lj1i16b0|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19528; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kangojim1.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kangojim1|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19523; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zna61udha01.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|zna61udha01|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19546; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sh01cilewk.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sh01cilewk|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19541; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 86b6b96b.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|86b6b96b|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19511; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kai817hag10.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kai817hag10|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19522; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lkaturl11.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lkaturl11|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19530; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 0imh17agcla.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|0imh17agcla|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19499; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ikaturi11.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ikaturi11|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19519; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 68b6b6b6.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|68b6b6b6|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19506; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zz87jhfda88.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|zz87jhfda88|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19549; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain countri1l.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|countri1l|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19515; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain n16fa53.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|n16fa53|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19533; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain li1i16b0.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|li1i16b0|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19527; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain l04undreyk.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|l04undreyk|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19526; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 10n02n4cx00.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|10n02n4cx00|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19500; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 9669b6b96b.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|9669b6b96b|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19512; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sho1cilewk.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|sho1cilewk|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19542; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 34jh7alm94.asia - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|34jh7alm94|04|asia|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19503; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ka18i7gah10.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|ka18i7gah10|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19521; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kur1k0nona.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|kur1k0nona|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19525; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nl6fa53.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|nl6fa53|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19536; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dg6a51ja813.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dg6a51ja813|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19516; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain u101mnay2k.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|u101mnay2k|03|com|00|"; fast_pattern:only; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:19543; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain s0pp0rtdesk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|s0pp0rtdesk|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=e30e74dc7be91bd71a0ec72f149242c18c1f90d0346a61e63fc34e52f5beb508-1311600515; classtype:trojan-activity; sid:19639; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mendi38.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mendi38|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=10648dd86467892c22f8eca4608cdb9b5024ad6c87a0bd1622b248c5d053070d-1311572006; classtype:trojan-activity; sid:19640; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sxzyong.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sxzyong|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137-1304614426; classtype:trojan-activity; sid:19768; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jifr.info - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jifr|04|info|00|"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19876; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jaifr.com - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|jaifr|03|com|00|"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19875; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sb.degreesbuy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sb|0A|degreesbuy|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=1a3d49e9f1bea6f906c17a112bae71fcc60e64bebcb16f7e1f348265436c1a0d-1314681972; classtype:trojan-activity; sid:20027; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lilupophilupop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lilupophilupop|03|com|00|"; fast_pattern:only; reference:url,isc.sans.org/diary/Lilupophilupop+tops+1million+infected+pages/12304; classtype:trojan-activity; sid:20833; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mac.update.zyns.com - OSX.Maljava"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mac|06|update|04|zyns|03|com"; fast_pattern:only; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:22051; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain center.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|center|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22227; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dns.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dns|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22281; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pear.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pear|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22568; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain officeudpate.servehttp.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|officeudpate|09|servehttp|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22536; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain spah.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|spah|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22665; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain half.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|half|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22364; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vip.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vip|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22759; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bat.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bat|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22184; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain add.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|add|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22127; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apple.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|apple|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22153; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain velp.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|velp|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22756; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ara.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ara|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22162; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain research.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|research|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22618; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou3.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou3|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22550; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain admin.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|admin|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22130; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain visual.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|visual|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22905; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pizf.peasoul.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pizf|07|peasoul|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22573; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slrouji.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|slrouji|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22652; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeph.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jeph|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22402; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pacific.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|pacific|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22559; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain crazycow.homenet.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|crazycow|07|homenet|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22255; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain comfile.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|comfile|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22239; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cais.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cais|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22215; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quiet.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|quiet|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22612; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain backup.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|backup|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22178; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sslsrv1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sslsrv1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22675; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mantech.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mantech|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22478; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22388; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain proc.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|proc|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22593; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain visual.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|visual|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22762; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain den.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|den|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22271; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain part.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|part|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22564; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ns|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22532; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain java.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|java|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22902; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22587; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain us.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|us|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22751; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22909; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|pop|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22584; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain host.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|host|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22373; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ground.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ground|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22363; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dove.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dove|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22286; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22810; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain csch.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|csch|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22258; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop2.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop2|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22576; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newport.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|newport|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22511; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop3.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop3|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22579; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|ou|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22555; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain logs.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|logs|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22457; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gdtm.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gdtm|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22351; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|yang|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22833; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22520; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ngc.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ngc|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22524; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wed5.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wed5|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22786; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|caci|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22210; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain catalog.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|catalog|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22219; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quick.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|quick|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22853; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bah001.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|bah001|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22180; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain business.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|business|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22202; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yahoo.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yahoo|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22828; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dsw.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|dsw|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22291; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yang1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22913; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain unifh.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|unifh|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22743; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain clin.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|clin|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22235; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwwi.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wwwi|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22819; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain des.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|des|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22273; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain protoc.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|protoc|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22597; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arainfo.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|arainfo|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22161; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vip.pcclubddk.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vip|09|pcclubddk|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22760; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain snoot.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|snoot|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22659; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kit.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|kit|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22411; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qedh.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|qedh|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22600; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bbc.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bbc|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22186; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cadfait.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|cadfait|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22214; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bat.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bat|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22185; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wed5.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wed5|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22787; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain login.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|login|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22451; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain slrj.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|slrj|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22651; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain owa.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|owa|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22558; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22814; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sunnysaf.allowed.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|sunnysaf|07|allowed|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22687; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cman.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|cman|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22236; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iswb.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|iswb|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22398; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain catalog.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|catalog|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22908; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain time.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|time|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22703; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22472; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jr.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|jr|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22408; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quick.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|quick|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22611; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucy2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22858; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop4.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop4|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22580; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain protoc.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|protoc|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22596; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain test.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|test|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22698; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fineca.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|fineca|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22319; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|lucy|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22466; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dvid.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dvid|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22293; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain log.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|log|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22455; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sam.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sam|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22627; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|caci2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22207; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain half.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|half|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22365; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain asiv.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|asiv|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22166; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ccb.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ccb|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22221; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ks01.peasoul.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ks01|07|peasoul|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22440; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gdsp.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gdsp|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22350; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain man001.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|man001|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22477; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22782; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou7.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou7|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22554; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ara2.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ara2|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22157; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain carvin.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|carvin|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22218; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stk.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|stk|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22682; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blue.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|blue|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22194; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22523; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bah001.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|bah001|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22854; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hav.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|hav|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22901; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctch.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ctch|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22260; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 3ml.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|3ml|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22119; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cibuc.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cibuc|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22232; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vopm.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vopm|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22766; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain logs.pcclubddk.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|logs|09|pcclubddk|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22458; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain popw.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|popw|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22588; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yang1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22830; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www1.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www1|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22809; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22549; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain release.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|release|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22616; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain opp.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|opp|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22542; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain avph.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|avph|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22175; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hav.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|hav|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22368; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gannett.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gannett|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22346; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iri.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|iri|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22393; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xawh.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|xawh|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22825; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yang2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22914; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou3.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou3|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22910; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|caci|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22208; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nsweb.hostent.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|nsweb|07|hostent|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22871; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain motor.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|motor|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22495; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dvid.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dvid|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22292; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moon.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|moon|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22490; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain java.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|java|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22400; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bab.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bab|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22176; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain navi.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|navi|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22500; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwwt.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wwwt|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22822; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain srs.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|srs|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22673; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop5.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop5|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22581; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain agl.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|agl|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22138; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vop.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vop|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22764; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wwt.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wwt|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22807; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.dcfrr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|05|dcfrr|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22897; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wpvn.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|wpvn|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22803; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sam.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sam|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22628; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain inter.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|inter|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22852; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ground.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ground|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22362; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain special.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|special|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22904; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ghma.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ghma|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22900; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mantech.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mantech|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22861; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain url.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|url|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22747; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newsservice.bouncemet.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|newsservice|09|bouncemet|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22522; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|lucy|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22859; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou5.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou5|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22552; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain otp.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|otp|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22545; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou6.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou6|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22553; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain contact.ignorelist.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|contact|0A|ignorelist|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22241; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop3.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop3|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22578; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain search.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|search|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22635; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain srs.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|srs|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22870; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fly.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fly|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22328; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.freespirit.acmetoy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0A|freespirit|07|acmetoy|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22817; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou7.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou7|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22911; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dyns.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dyns|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22296; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gmail.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|gmail|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22360; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lrl.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lrl|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22461; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain visco.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|visco|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22761; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saf.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|saf|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22625; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ara2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ara2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22158; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain man001.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|man001|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22476; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain inter.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|inter|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22392; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain info.dcfrr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|info|05|dcfrr|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22887; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain via.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|via|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22757; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain port.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|port|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22589; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain addr.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|addr|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22128; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tra.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|tra|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22706; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pdoc.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pdoc|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22567; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aol.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aol|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22147; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apple.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|apple|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22154; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain westkl.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|westkl|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22788; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain life.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|life|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22445; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain service.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|service|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22639; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caci2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|caci2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22855; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain people.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|people|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22570; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sslsrv6.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sslsrv6|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22678; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22514; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22548; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stk.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|stk|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22681; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain web.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|web|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22779; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yang2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yang2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22831; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22519; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain des.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|des|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22274; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vol.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vol|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22763; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain url.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|url|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22748; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucy2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucy2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22464; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quiet.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|quiet|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22903; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apa.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|apa|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22148; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eds1.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|eds1|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22299; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gayi.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|gayi|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22348; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain count.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|count|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22249; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain back.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|back|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22177; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain net.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|net|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22507; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intel.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|intel|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22391; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ara.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ara|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22159; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ghma.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ghma|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22354; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.pcclubddk.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|09|pcclubddk|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22521; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pl0y.peasoul.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pl0y|07|peasoul|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22574; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain utex.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|utex|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22754; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain send.issnbgkit.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|send|09|issnbgkit|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22636; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain log.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|log|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22453; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain argsafhq.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|argsafhq|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22163; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22577; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou4.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou4|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22551; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aes.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|aes|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22134; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vop.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vop|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:22906; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop9.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop9|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22583; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pop6.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pop6|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22582; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pear.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pear|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22569; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pars.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|pars|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22562; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drs.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|drs|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22288; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smtp.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|smtp|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22656; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vpn.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|vpn|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22768; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yard.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|yard|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22834; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ksap.peasoul.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|ksap|07|peasoul|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22441; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain asp.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|asp|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22167; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fwb.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fwb|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22342; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sslsrv5.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sslsrv5|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22677; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain red.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|red|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22614; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moon.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|moon|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22491; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sslsrv2.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sslsrv2|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22676; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mail.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22475; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftp.freespirit.acmetoy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|0A|freespirit|07|acmetoy|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22339; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vseh.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|vseh|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22770; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain webmail.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|webmail|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22785; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bcc.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bcc|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22188; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ou1.blackcake.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ou1|09|blackcake|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22547; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sports3.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|sports3|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22667; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain control.blackberrycluter.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|control|10|blackberrycluter|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22244; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain att.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|att|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22173; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain parth.earthsolution.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|parth|0D|earthsolution|03|org|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22565; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain via.infosupports.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|via|0C|infosupports|03|com|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22758; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain global.softsolutionbox.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|global|0F|softsolutionbox|03|net|00|"; fast_pattern:only; reference:url,pastebin.com/yKSQd5Z5; classtype:trojan-activity; sid:22357; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain world.rickstudio.ru - Mal/Rimecud-R"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|world|0A|rickstudio|02|ru|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailed-analysis.aspx; classtype:trojan-activity; sid:22959; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain murik.portal-protection.net.ru - Mal/Rimecud-R"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|murik|11|portal-protection|03|net|02|ru|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailed-analysis.aspx; classtype:trojan-activity; sid:22957; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flashupdates.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|flashupdates|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23029; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nvidiastream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nvidiastream|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23033; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quick-net.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|quick-net|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23023; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rendercodec.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rendercodec|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23035; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syncstream.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncstream|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23037; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smart-access.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|smart-access|03|net|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23022; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nvidiadrivers.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|nvidiadrivers|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23031; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain videosync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|videosync|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23038; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nvidiasoft.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nvidiasoft|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23032; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain diznet.biz - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|diznet|03|biz|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23066; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newsync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|newsync|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23075; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bannerzone.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bannerzone|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23062; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syncprovider.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|syncprovider|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23081; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smartservicesite.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|smartservicesite|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23079; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain isyncautoupdater.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|isyncautoupdater|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23070; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain synclock.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|synclock|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23080; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flashp.webhop.net - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|flashp|06|webhop|03|net|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23067; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newstatisticfeeder.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newstatisticfeeder|03|com|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23074; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain isyncautomation.in - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|isyncautomation|02|in|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23069; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syncupdate.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncupdate|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23083; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain netsharepoint.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|netsharepoint|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23073; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mysync.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|mysync|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23072; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dailynewsupdater.com - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|dailynewsupdater|03|com|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23065; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain syncsource.info - Flame"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|syncsource|04|info|00|"; fast_pattern:only; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23082; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain d.ppns.info - Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|d|04|ppns|04|info|00|"; fast_pattern:only; reference:url,www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A#techdetails_link; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Fipp-A/detailed-analysis.aspx; classtype:trojan-activity; sid:23452; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e.ppift.in - Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|e|05|ppift|02|in|00|"; fast_pattern:only; reference:url,www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A#techdetails_link; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Fipp-A/detailed-analysis.aspx; classtype:trojan-activity; sid:23455; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e.ppift.net - Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|e|05|ppift|03|net|00|"; fast_pattern:only; reference:url,www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A#techdetails_link; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Fipp-A/detailed-analysis.aspx; classtype:trojan-activity; sid:23453; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain in.ingoogle.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|in|08|ingoogle|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/a01a8f8eaecc1975a1e96c36481e7c63c06388f7857bf98032d3050522c251db/analysis/; classtype:trojan-activity; sid:23629; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain peradjoka.t35.com - Win.Worm.Helompy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|peradjoka|03|t35|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/a869eec0d669facb214a6238268dea01c4480a17a6c6ec08049471fcaefd4bb3/analysis/; classtype:trojan-activity; sid:24183; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 22231.dtdns.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|22231|05|dtdns|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24856; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdated.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdated|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24844; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdated.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdated|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24845; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.chopbell.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|08|chopbell|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24853; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdatek.tw"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdatek|02|tw|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24848; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.chopbell.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|08|chopbell|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24854; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdatek.at"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdatek|02|at|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24846; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain existing.suroot.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|existing|06|suroot|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24855; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdatek.eu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdatek|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24847; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdates.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdates|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24851; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ns1.helpupdater.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0B|helpupdater|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/b9748edc06bec96214dec600dd7e2d7c27641412f8718ec49cc707577d1ff346/analysis; classtype:trojan-activity; sid:24842; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain atsihkcljrqlzvku.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|atsihkcljrqlzvku|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25154; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ctolfpcqldrvxvml.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|ctolfpcqldrvxvml|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25161; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain publicatorian.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|publicatorian|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25201; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aofngppahgor.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|aofngppahgor|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25149; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ifrhgnqeeotnzrmz.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25182; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain owekhoeuhmdiehrw.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25195; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain amnaosogo.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|amnaosogo|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25145; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fufsbovwfzjumtle.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|fufsbovwfzjumtle|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25172; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hvuwhwqtoyidfrjg.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|hvuwhwqtoyidfrjg|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25179; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wiombejwxrddpkkx.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|wiombejwxrddpkkx|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25218; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zfyafrjmmajqfvbh.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25223; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bkhyiqitpoxewhmt.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25158; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gmokuosvnbkshdtd.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25176; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apendiksator.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|apendiksator|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25150; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mouwwvcwwlilnxub.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25190; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dujovshpvbxgrikw.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|dujovshpvbxgrikw|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25165; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sectantes-x.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|sectantes-x|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25206; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pwyloytoagndnrex.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|pwyloytoagndnrex|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25202; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain imjosxuhbcdonrco.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25183; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain opldkflyvlkywuec.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|opldkflyvlkywuec|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25194; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tdsorylshsxjeawf.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25210; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ddkudnuklgiwtdyw.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25162; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shderldqiqdtdcmu.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shderldqiqdtdcmu|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25207; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cinemaallon.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|cinemaallon|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25159; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain knauycqgsdhgbwjo.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25185; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fzsirujgdbvabrjm.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25173; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aliamognoa.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|aliamognoa|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25144; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain venrfhmthwpqlqge.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25215; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xeeypppxswpquvrf.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25219; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain haqmuqqukywrcxfa.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25177; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leberiasun.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|leberiasun|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25188; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eefysywrvkgxuqdf.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25166; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zatiscwwtipqlycd.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25222; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain noqzuukouyfuyrmd.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25191; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uqspvdwyltgcyhft.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25214; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qhibjmjlnpyovmbn.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|qhibjmjlnpyovmbn|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25203; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain febcbuyswmishvpl.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|febcbuyswmishvpl|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25170; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aviaonlolsio.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|aviaonlolsio|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25155; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pelamutrika.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pelamutrika|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25198; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain anifkailood.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|anifkailood|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25147; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vmibswhnpqhqwyih.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25216; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dimarikanko.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dimarikanko|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25163; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yayfefhrwawquwcw.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25221; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ogrtlmpkqtwmweff.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|ogrtlmpkqtwmweff|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25193; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain awoeionfpop.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|awoeionfpop|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25156; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kzxrowftdocgyghs.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25186; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jrkjelzwleadyxsd.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25184; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apensiona.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|apensiona|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25151; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pitoniamason.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pitoniamason|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25199; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ahiontota.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ahiontota|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25143; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ganalionomka.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ganalionomka|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25174; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iblpdiqdmmsbnuxb.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25180; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pchgijctfprxhnje.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|pchgijctfprxhnje|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25197; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain somaliaonfloor.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|somaliaonfloor|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25208; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eilqnjkoytyjuchn.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25167; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cpittmwbqtjrjpql.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25160; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain antariktika.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|antariktika|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25148; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apolinaklsit.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|apolinaklsit|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25152; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uitjsdpvrfgfdhff.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|uitjsdpvrfgfdhff|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25211; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lfbovcaitdrjmkbe.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|lfbovcaitdrjmkbe|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25189; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dpewaddpoewiycnj.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25164; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bhujzorkulhkpwob.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25157; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain angelaonfl.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|angelaonfl|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25146; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain upmqpwyndzwzmmwy.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|upmqpwyndzwzmmwy|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25213; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oblcasnhxbbocpfj.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25192; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain francese.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|francese|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25171; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eyxejlabqaytqmjx.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25169; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qtmyeslmsoxkjbku.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25204; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hfveiooumeyrpchg.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25178; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wejungvnykczyjam.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|wejungvnykczyjam|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25217; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain podarunoki.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|podarunoki|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25200; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lavvckpordclbduy.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|lavvckpordclbduy|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25187; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sqwlonyduvpowdgy.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25209; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rxupwhkznihnxzqx.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25205; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ummxjwieppswcnrg.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25212; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xmwettbvtbhvrjuo.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25220; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain elxegvkalqvkyoxc.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25168; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aseniakrol.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|aseniakrol|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25153; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain panamechkis.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|panamechkis|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25196; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain adanagenro.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|adanagenro|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25142; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iekiyvsbtyozmmwy.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|iekiyvsbtyozmmwy|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25181; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain genevaonline.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|genevaonline|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:25175; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dll-host-udate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|dll-host-udate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25405; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xponlineupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|xponlineupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25447; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dllupdate.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dllupdate|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25408; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain genuine-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|genuine-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25412; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dll-host-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|dll-host-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25404; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain windowscheckupdate.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|windowscheckupdate|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25441; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msinfoonline.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|msinfoonline|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:25423; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain osgenuine.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|osgenuine|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25433; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drivers-get.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|drivers-get|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25410; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain win-check-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|win-check-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25438; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftcheck.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|microsoftcheck|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25416; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drivers-check.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|drivers-check|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25409; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wins-update.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wins-update|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25446; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drivers-update-online.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|15|drivers-update-online|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25411; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain localfreecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|localfreecatalog|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25747; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pornofreeforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|pornofreeforyou|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25755; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drafsddhjk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|drafsddhjk|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25736; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pornowinner.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornowinner|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25756; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shopcataloggroup.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|shopcataloggroup|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25760; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newsearchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|newsearchnecessary|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25751; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newsearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|newsearchshop|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25752; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beststoresearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|beststoresearch|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25732; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain findalleasy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|findalleasy|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25742; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newpornopicture.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|newpornopicture|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25750; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain freesearchshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|freesearchshop|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25746; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lovepornomoney.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|lovepornomoney|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25749; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shop-work.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shop-work|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25761; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain celebrity-info.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|celebrity-info|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25735; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain all-celeb.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|all-celeb|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25729; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain search-porno.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|search-porno|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25759; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain freepornoshop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|freepornoshop|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25745; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain findallsimple.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|findallsimple|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25743; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ekstaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ekstaz|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:25738; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bestpornodrive.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bestpornodrive|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25731; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loveplacecatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|loveplacecatalog|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25748; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pornofreecatalogs.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|pornofreecatalogs|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25754; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain catalogpornosearch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|catalogpornosearch|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25734; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain searchnecessary.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|searchnecessary|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25758; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain famouspeopledata.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|famouspeopledata|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25740; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain freepornoreport.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|freepornoreport|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25744; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain proshopcatalog.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|proshopcatalog|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25757; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain easy-statistics.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|easy-statistics|02|in|00|"; fast_pattern:only; classtype:trojan-activity; sid:25737; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pornobeetle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pornobeetle|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25753; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain catalogforyou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|catalogforyou|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:25733; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain foreignpolicy.zonet.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|foreignpolicy|05|zonet|02|us|00|"; fast_pattern:only; classtype:trojan-activity; sid:26142; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:26403; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|00|"; fast_pattern:only; classtype:trojan-activity; sid:26399; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:26406; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|00|"; fast_pattern:only; classtype:trojan-activity; sid:26400; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com"; fast_pattern:only; classtype:trojan-activity; sid:26409; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su"; fast_pattern:only; classtype:trojan-activity; sid:26408; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:26404; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:26407; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|kei|02|su"; fast_pattern:only; classtype:trojan-activity; sid:26555; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:26556; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; fast_pattern:only; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; fast_pattern:only; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; fast_pattern:only; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ppcfeedclick.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ppcfeedclick|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26614; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ppcfeedadvertising.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|ppcfeedadvertising|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:26612; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kjwre9fqwieluoi.info - W32.Sality"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|info|00|"; fast_pattern:only; reference:url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity; sid:26919; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain soywey.sin-ip.es - Palevo Botnet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|es|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity; sid:26916; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fasternation.net - Win.Trojan.Pirminay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fasternation|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26971; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain androfox.com - Andr.Trojan.Obad"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|androfox|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ba1d6f317214d318b2a4e9a9663bc7ec867a6c845affecad1290fd717cc74f29/analysis/; classtype:trojan-activity; sid:27065; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; fast_pattern:only; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain myharlemshake.info - MSIL Trojan"; flow:to_server; content:"|0D|myharlemshake|04|info|00|"; fast_pattern:only; reference:url,mwanalysis.org/?page=report&analysisid=2178740&password=nxbjmzykzt; reference:url,www.virustotal.com/en/file/16534fea6ec534249b0a14a497f82f5c7b4b8f2b005e965c24816365ce062318/analysis/; classtype:trojan-activity; sid:27155; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain micsigafgi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|micsigafgi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27524; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mupxiholakeo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mupxiholakeo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27523; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain taqeixoqbei.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|taqeixoqbei|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27522; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dirweikugqij.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|dirweikugqij|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27521; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leisukovat.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|leisukovat|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27520; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain haveapill.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|haveapill|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27519; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cuxafkoqi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cuxafkoqi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27518; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nuxugjeop.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nuxugjeop|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27517; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moqcadiguseo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|moqcadiguseo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27516; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qagupanci.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|qagupanci|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27515; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain geileawoz.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|geileawoz|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27514; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nafwucirdahu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nafwucirdahu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27513; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ruxneafuhe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ruxneafuhe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27512; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain neixirrux.kz - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|neixirrux|02|kz|00|"; fast_pattern:only; classtype:trojan-activity; sid:27511; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tupmeolillit.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tupmeolillit|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27510; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mafquwecar.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mafquwecar|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27509; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain goqvasusei.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|goqvasusei|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27508; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nuqabuxpi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nuqabuxpi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27507; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mirotuggada.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mirotuggada|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27506; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kipucagowad.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kipucagowad|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27505; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain meatubeibu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|meatubeibu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27504; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wozbowuwegik.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|wozbowuwegik|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27503; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tupkoveacoqw.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tupkoveacoqw|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27502; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gafxugeikabi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gafxugeikabi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27501; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pilpuxmafr.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pilpuxmafr|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27500; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain moluxubeoke.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|moluxubeoke|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27499; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain veiceobatnei.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|veiceobatnei|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27498; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain koqsajuppi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|koqsajuppi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27497; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain micvuxtebi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|micvuxtebi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27496; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cibimozsu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cibimozsu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27495; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wabowanfank.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wabowanfank|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27494; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kokceafohilc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kokceafohilc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27493; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xisafeowa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xisafeowa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27492; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rugpilkokjeo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|rugpilkokjeo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27491; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain geigupkos.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|geigupkos|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27490; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain geajozhuwepi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|geajozhuwepi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27489; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hokneohabe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hokneohabe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27488; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buwicceaxeo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|buwicceaxeo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27487; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bokgowofuppi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|bokgowofuppi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27486; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lozbokbumicl.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lozbokbumicl|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27485; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kafriqoqhatb.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kafriqoqhatb|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27484; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain someogahu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|someogahu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27483; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kugugfozvoq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kugugfozvoq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27482; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qafcoqcoqs.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qafcoqcoqs|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27481; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mihacafreoj.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mihacafreoj|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27480; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hugcicpatk.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hugcicpatk|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27479; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hoqiteoheop.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hoqiteoheop|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27478; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nilokxeosoz.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|nilokxeosoz|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27477; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ceavuxjajanc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ceavuxjajanc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27476; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain veimulilqead.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|veimulilqead|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27475; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pajicafso.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|pajicafso|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27474; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hoquhuxrokt.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hoquhuxrokt|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27473; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tirqirvealux.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tirqirvealux|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27472; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain supqafbufu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|supqafbufu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27471; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vasuxbuxl.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vasuxbuxl|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27470; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qeajiwiwib.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qeajiwiwib|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27469; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain piltiviruh.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|piltiviruh|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27468; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hatxirveaxoq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|hatxirveaxoq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27467; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain feovileig.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|feovileig|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27466; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dutugwanirq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dutugwanirq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27465; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gubodafhuxb.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|gubodafhuxb|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27464; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lokrofanpe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lokrofanpe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27463; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gisubanea.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gisubanea|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27462; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qocomuhax.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|qocomuhax|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27461; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain latvilsaculo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|latvilsaculo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27460; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain taflowicaf.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|taflowicaf|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27459; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ceagutonugbo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ceagutonugbo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27458; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nugbibejamoq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nugbibejamoq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27457; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain simuwigopat.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|simuwigopat|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27456; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain daffimufuf.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|daffimufuf|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27455; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nupansola.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nupansola|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27454; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jutacannafe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jutacannafe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27453; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fapuxqogirq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|fapuxqogirq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27452; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qoqcinubokje.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qoqcinubokje|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27451; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lokudeawifu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|lokudeawifu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27450; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain woqwicsone.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|woqwicsone|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27449; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sugaqokag.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sugaqokag|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27448; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bokrawaveaha.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|bokrawaveaha|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27447; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sicwuplixipu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|sicwuplixipu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27446; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dilhaseoxu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dilhaseoxu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27445; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reopicjasa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|reopicjasa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27444; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vuxnokheil.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vuxnokheil|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27443; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vabuxwoga.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vabuxwoga|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27442; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pozjeosujanc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pozjeosujanc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27441; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buhabatdu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|buhabatdu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27440; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hatweidafcoq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|hatweidafcoq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27439; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hokcacusok.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hokcacusok|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27438; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain roxigarokhe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|roxigarokhe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27437; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain momaxivuxvo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|momaxivuxvo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27436; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeakawulok.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|jeakawulok|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27435; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hijicxoqk.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|hijicxoqk|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27434; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lozdaflawupq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lozdaflawupq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27433; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jupheisozmoz.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jupheisozmoz|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27432; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain deaqijoqi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|deaqijoqi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27431; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeoheovux.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|jeoheovux|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27430; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xeonokmupvic.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|xeonokmupvic|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27429; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kabozraqick.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kabozraqick|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27428; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lunaratji.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|lunaratji|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27427; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pomeamozsag.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pomeamozsag|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27426; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sudafbilp.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sudafbilp|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27425; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain veadatlihei.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|veadatlihei|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27424; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dehugnurilr.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dehugnurilr|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27423; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeimupgonokc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jeimupgonokc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27422; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fonirminugt.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|fonirminugt|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27421; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nugvilgogicn.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nugvilgogicn|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27420; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nogircafloz.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|nogircafloz|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27419; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vuxgabatvo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vuxgabatvo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27418; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mibufokaflu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mibufokaflu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27417; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hatjicweiruc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|hatjicweiruc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27416; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain veapatjupwa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|veapatjupwa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27415; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain coqmuleavi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|coqmuleavi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27414; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gaxubatfu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gaxubatfu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27413; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bilfasozquta.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|bilfasozquta|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27412; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pivaficfang.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pivaficfang|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27411; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beodubumu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|beodubumu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27410; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain picgoradokri.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|picgoradokri|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27409; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jucipeimace.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jucipeimace|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27408; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeireovatlot.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jeireovatlot|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27407; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain keopijinib.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|keopijinib|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27406; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain heijarocaf.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|heijarocaf|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27405; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hudafveaheo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hudafveaheo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27404; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rotovanuglo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rotovanuglo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27403; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain joseodeofil.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|joseodeofil|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27402; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jixugliwi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|jixugliwi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27401; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kafpicdeasim.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kafpicdeasim|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27400; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mupdircanbid.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mupdircanbid|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27399; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nirruggirc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|nirruggirc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27398; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gugxafnadugn.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gugxafnadugn|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27397; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mutigigigah.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mutigigigah|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27396; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kiwikurugce.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kiwikurugce|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27395; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fannaflofozb.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fannaflofozb|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27394; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xaficpedufi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|xaficpedufi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27393; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mupsopicnafo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mupsopicnafo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27392; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xiqickeam.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xiqickeam|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27391; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain puxmaftavagi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|puxmaftavagi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27390; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xoqhilwoqror.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|xoqhilwoqror|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27389; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mideodeonuk.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mideodeonuk|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27388; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain heotahugqicj.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|heotahugqicj|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27387; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qoqkeivoktig.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qoqkeivoktig|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27386; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nafgasajuwic.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nafgasajuwic|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27385; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wicxeidokjic.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|wicxeidokjic|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27384; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain culuxsajabo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|culuxsajabo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27383; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mojibudatfo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mojibudatfo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27382; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain girbeoharo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|girbeoharo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27381; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain suvadolit.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|suvadolit|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27380; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain caluneihugj.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|caluneihugj|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27379; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain januvokxo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|januvokxo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27378; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bozwagipeq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|bozwagipeq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27377; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain huceicafwep.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|huceicafwep|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27376; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rafaxokvu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|rafaxokvu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27375; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fozwabozba.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fozwabozba|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27374; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fupveahilvil.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fupveahilvil|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27373; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lozwoqdeteoc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lozwoqdeteoc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27372; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lozwoqdeteoc.kz - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lozwoqdeteoc|02|kz|00|"; fast_pattern:only; classtype:trojan-activity; sid:27371; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jimuhadirbo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jimuhadirbo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27370; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain citoqcoqx.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|citoqcoqx|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27369; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lubiweigupk.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|lubiweigupk|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27368; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain koqpozhuho.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|koqpozhuho|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27367; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qirmiqoqcafh.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qirmiqoqcafh|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27366; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain natmagirka.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|natmagirka|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27365; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wapicqojapa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wapicqojapa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27364; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dafkeaseix.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dafkeaseix|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27363; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wanhilqicq.kz - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wanhilqicq|02|kz|00|"; fast_pattern:only; classtype:trojan-activity; sid:27362; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tupdeapanfit.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tupdeapanfit|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27361; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pirebeoxeoh.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pirebeoxeoh|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27360; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vatqupgigi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vatqupgigi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27359; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jihatvokvod.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|jihatvokvod|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27358; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beohokeob.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|beohokeob|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27357; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ruheonugx.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ruheonugx|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27356; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fupnoxoqgoxa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fupnoxoqgoxa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27355; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain neosicujip.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|neosicujip|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27354; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pozwozseilut.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pozwozseilut|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27353; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xolikusos.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xolikusos|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27352; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kihatsicx.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kihatsicx|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27351; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mukirpewoqd.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mukirpewoqd|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27350; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fupretoweanu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fupretoweanu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27349; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qupwofiljabu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qupwofiljabu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27348; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beocoqtea.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|beocoqtea|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27347; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain taxopodafxo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|taxopodafxo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27346; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain batupduggea.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|batupduggea|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27345; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain picdicicdirx.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|picdicicdirx|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27344; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fildirkafxun.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fildirkafxun|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27343; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain feicanwudugw.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|feicanwudugw|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27342; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain weifucicwa.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|weifucicwa|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27341; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pozdafcigafv.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pozdafcigafv|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27340; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tugriljupm.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tugriljupm|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27339; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xafvujoriv.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xafvujoriv|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27338; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xafrugrede.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xafrugrede|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27337; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hokmafgofi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hokmafgofi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27336; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain keagirrokfav.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|keagirrokfav|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27335; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tirhipanuwic.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tirhipanuwic|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27334; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dobuveiliti.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dobuveiliti|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27333; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ruxweawova.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ruxweawova|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27332; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beigupxupoja.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|beigupxupoja|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27331; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeofudokl.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|jeofudokl|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27330; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain numirugxo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|numirugxo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27329; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain heinugsozr.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|heinugsozr|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27328; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain huxnirlogicd.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|huxnirlogicd|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27327; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xububuxti.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xububuxti|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27326; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cukakoqnu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cukakoqnu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27325; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain luxseonirveo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|luxseonirveo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27324; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gomivuxba.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gomivuxba|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27323; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qirkeitoqdob.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|qirkeitoqdob|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27322; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cupbuxupiq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cupbuxupiq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27321; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beowozwic.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|beowozwic|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27320; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain foqumafda.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|foqumafda|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27319; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jupregeijick.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jupregeijick|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27318; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jeiveomafsov.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jeiveomafsov|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27317; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nokcicmozsan.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nokcicmozsan|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27316; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rilceonafxir.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|rilceonafxir|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27315; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain koqmeosako.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|koqmeosako|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27314; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ficpejeovi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ficpejeovi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27313; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nugguptalilt.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nugguptalilt|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27312; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain keadirtoqkea.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|keadirtoqkea|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27311; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tirhagutugxi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|tirhagutugxi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27310; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gacafvuxv.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|gacafvuxv|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27309; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuxtifeibe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fuxtifeibe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27308; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cixicuxus.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cixicuxus|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27307; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tefalilkaqe.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|tefalilkaqe|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27306; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lokjabuxdo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lokjabuxdo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27305; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mupfasakirqi.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|mupfasakirqi|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27304; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain goqrokxiqo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|goqrokxiqo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27303; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain deofutugqupq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|deofutugqupq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27302; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain doraragiqir.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|doraragiqir|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27301; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jozvuxnuna.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|jozvuxnuna|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27300; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuxqeiqova.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|fuxqeiqova|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27299; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mutufanwozf.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mutufanwozf|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27298; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kapilupetea.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kapilupetea|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27297; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pozdobatnumo.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pozdobatnumo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27296; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lufiseobozq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|lufiseobozq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27295; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain focuppozh.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|focuppozh|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27294; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain muqawogus.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|muqawogus|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27293; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hokirwozcoq.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hokirwozcoq|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27292; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain noseobokruc.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|noseobokruc|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27291; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cicmotoqcahu.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|cicmotoqcahu|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27290; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain beijirukirif.com - pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|beijirukirif|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:27289; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain claimcrazy.us - Win.Kraziomel Trojan"; flow:to_server; content:"|0A|claimcrazy|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27534; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fixingsocialsecurity.org - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|fixingsocialsecurity|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27562; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain phonebillssuck.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|phonebillssuck|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27560; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain prospexleads.com - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|prospexleads|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/88ec7a4f4a675b90f9bcba60558e2c6c14d4a0de90c75d384c8b07daaa74e10e/analysis/; classtype:trojan-activity; sid:27559; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sectempus.biz - Win.Trojan.PRISM"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sectempus|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27801; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bfisback.no-ip.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bfisback|05|no-ip|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:16299; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qwertasdfg.sinip.es"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|qwertasdfg|05|sinip|02|es|00|"; fast_pattern:only; classtype:trojan-activity; sid:16298; rev:8;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain butterfly.sinip.es"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|butterfly|05|sinip|02|es|00|"; fast_pattern:only; classtype:trojan-activity; sid:16297; rev:8;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lealemon.xxuz.com - Win.Ransomware.Urausy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|lealemon|04|xxuz|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28036; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackicemaccom.biz - Win.Ransomware.Urausy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|blackicemaccom|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28035; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain heftyzonealarm.info - Win.Ransomware.Urausy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|heftyzonealarm|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28034; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vosagu.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|vosagu|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27977; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oogagh.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|oogagh|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27976; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thepohzi.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|thepohzi|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27975; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eevootii.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|eevootii|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27974; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain queiries.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|queiries|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:27971; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain updservice.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|updservice|03|net|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27954; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain service-statistic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|service-statistic|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27952; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain service-stat.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|service-stat|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27951; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain full-statistic.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|full-statistic|03|com|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27949; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain level4-co1-as30912.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|level4-co1-as30912|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28067; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain level4-co2-as30938.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|level4-co2-as30938|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28066; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain x2v9.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|x2v9|03|com|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28065; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intelbackupsrv.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|intelbackupsrv|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28064; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intelsystems.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|intelsystems|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28063; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intelsecurity.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|intelsecurity|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28062; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain intelcore.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|intelcore|02|su|00|"; fast_pattern:only; reference:cve,2010-2568; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50631&name=WORM_SLENFBOT.DF&language=en; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-102712-5400-99&tabid=2; reference:url,www.virustotal.com/en/file/A6ABEBEEDD82D3DC8817CFE0EFB00F95965248F0B7E07393745AF89BCC41DC59/analysis/; classtype:trojan-activity; sid:28061; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cmeef.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cmeef|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity; sid:28077; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain esysinfo.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|esysinfo|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28189; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nohtheer.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|nohtheer|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28187; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pahxeeju.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|pahxeeju|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28185; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain statinfo.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|statinfo|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28184; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain netprotections.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|netprotections|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28181; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain seguards.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|seguards|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28179; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain inetprotections.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|inetprotections|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28178; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ubicahje.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ubicahje|02|cc|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28175; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uphebuch.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|uphebuch|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28173; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e-statistics.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|e-statistics|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28170; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain main2woo.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|main2woo|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0240C75ADB58F09FF6BCD235238673BF896BDF1A9CAA931066868D047E6938C9/analysis/; classtype:trojan-activity; sid:28168; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kievandmoskaustt.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|kievandmoskaustt|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28152; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain top01.aaablog.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|top01|07|aaablog|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b1cfa93a7425562a9fdf6d02d9e6f5c2f2b6bdc0470515d95343ddaf3198d7e6/analysis; classtype:trojan-activity; sid:28229; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yqaqysuxo.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|yqaqysuxo|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28226; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yjeqoxuce.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|yjeqoxuce|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28225; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uxocukahi.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|uxocukahi|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28224; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain umyniloqa.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|umyniloqa|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28223; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain okujytoce.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|okujytoce|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28222; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain itejoxoto.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|itejoxoto|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28221; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iryseleba.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|iryseleba|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28220; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain emupojyto.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|emupojyto|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28219; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ehaqagaxa.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ehaqagaxa|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28218; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain azureraca.de - kazy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|azureraca|02|de|00|"; fast_pattern:only; classtype:trojan-activity; sid:28217; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wirejournal.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|wirejournal|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ccb6353ce1a0b047aae3620428c7dc430918833aedc56ed01098e174c0942139/analysis/1380892332/; classtype:trojan-activity; sid:28249; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lenderspoker.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lenderspoker|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ccb6353ce1a0b047aae3620428c7dc430918833aedc56ed01098e174c0942139/analysis/1380892332/; classtype:trojan-activity; sid:28248; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.aquirecosmeticos.com.br"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|aquirecosmeticos|03|com|02|br|00|"; fast_pattern:only; classtype:trojan-activity; sid:28243; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain handjobheats.com - Win.Trojan.Injector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|handjobheats|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:28297; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vvhpq.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vvhpq|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/3bc03de045cf950a5fab85d55a899bb02a7c71f25f93da3a5f8edec4b9a82b1e/analysis/; classtype:trojan-activity; sid:28282; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vdohx.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vdohx|02|su|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/3bc03de045cf950a5fab85d55a899bb02a7c71f25f93da3a5f8edec4b9a82b1e/analysis/; classtype:trojan-activity; sid:28281; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain y.opennews.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|y|08|opennews|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:28330; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain u.eastmoon.pl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|u|08|eastmoon|02|pl|00|"; fast_pattern:only; classtype:trojan-activity; sid:28329; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan"; flow:to_server; content:"|05|mssql|0E|maurosouza9899|08|kinghost|03|net"; fast_pattern:only; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28445; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zoore.arqadas.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zoore|07|arqadas|03|biz|00|"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FQadars.A#tab=2; reference:url,www.virustotal.com/en/file/fe0587480da06bc7c23849c2551a6f58db6ea4cf881f097ac60167422a1ec3fa/analysis/; classtype:trojan-activity; sid:28527; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dkxszh.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dkxszh|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b135947823c91a712bb1c3e289168c973a6ce0/analysis/; classtype:trojan-activity; sid:28540; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain x.dailyradio.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|x|0A|dailyradio|02|su|00|"; fast_pattern:only; classtype:trojan-activity; sid:28533; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.nospell.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|nospell|02|kr|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/43fa1228af9faca959adaa2625c9a6777e3f005becd4ffbb11d5a6d3685ae7e8/analysis/; classtype:trojan-activity; sid:28830; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rome0.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|rome0|03|biz|00|"; fast_pattern:only; reference:url,www.arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf; classtype:trojan-activity; sid:28891; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wifi-usbx.me"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wifi-usbx|02|me|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/902760be507dbaa5e6b26e1183d10710617b53441601624e4f36d079f71b2a0a/analysis/1387181593/; classtype:trojan-activity; sid:28981; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain teamimmsky.de"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|team|06|immsky|02|de|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28980; rev:2;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DELETED BLACKLIST DNS reverse lookup response to malicious domain hosted-by.leaseweb.com - Win.Trojan.Bunitu.G"; flow:to_client; content:"|09|hosted-by|08|leaseweb|03|com"; fast_pattern:only; classtype:trojan-activity; sid:28951; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.amoninst.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|amoninst|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/96b3bc41d62e1e2cc00469dd9ddfa4ab6506718d26641d6400d24aa77aca7345/analysis/; classtype:trojan-activity; sid:28928; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain apfi.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|apfi|03|biz|00|"; fast_pattern:only; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29021; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lucas.digitaldesk.biz - Win.Banload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucas|0B|digitaldesk|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29030; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mop.cocente.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mop|07|cocente|03|net"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a36246266f06ddf5d6607781f0c75a91a58ee1a4a6835de371869818eded9d47/analysis/; classtype:trojan-activity; sid:29137; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain takos.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|takos|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b1b61a6cfe722c8f745bb7895a2420bff043516ac6809cbe99c82db62ac120d1/analysis/; classtype:trojan-activity; sid:29134; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 003iuayt.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|003iuayt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a01dccf9f983c4e3d5a99f8e2103dcb3cdef6505cd30f15491dbea6adb0e9e56/analysis/; classtype:trojan-activity; sid:29116; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.free-screensaver.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|free-screensaver|02|co|02|uk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/aacb126e0a05e8b3aa08e7abae9c28f1d5638a26201d51d6d8668aee4235f867/analysis/; classtype:trojan-activity; sid:29111; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain related to Win.Trojan.SixMuch variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|otrd|02|cn|00|"; fast_pattern; content:"ptj"; within:4; distance:-13; reference:url,www.virustotal.com/en/file/fadbf5d8176216d1cb23ea29f2fbcb502a935f36ca16d0d9608512494b3615ee/analysis/; classtype:trojan-activity; sid:29106; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain musicbox.servemp3.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|musicbox|08|servemp3|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0c5a5a85ced8c201508d45613330e3909ed99cef90ae15b3695d27928f74407c/analysis/; classtype:trojan-activity; sid:29093; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kid1232-nbteam.rhcloud.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|kid1232-nbteam|07|rhcloud|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/336ad95431ef2cbff776af1457b07837c71111dd315be1712c824746e0fd0497/analysis/; classtype:trojan-activity; sid:29072; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cl.chnsystem.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|cl|09|chnsystem|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3055358f927b32235bce5c9810d343e53c5abf3d027e410e7435d1eac72b8f65/analysis/; classtype:trojan-activity; sid:29181; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain elzbthfntr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|elzbthfntr|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f89e7f252e5d8427476c4a70e602d67c49f3e01f3c4b0fb0650f80c3b1f909d3/analysis/; classtype:trojan-activity; sid:29161; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ie-config.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ie-config|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:29156; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain owpzusezo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|owpzusezo|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29147; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain viweabkkfe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|viweabkkfe|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/9df6a1f3eef45d15f9a3c587b3fa0ef02c25b40da8c8c87293e5c442c991fd6c/analysis/; classtype:trojan-activity; sid:29145; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain andreypopov.mcdir.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|andreypopov|05|mcdir|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/c042c46e4f7d63461ebcbb0411f43d69dc3cd46983052c76d3aaea2a1ff019f7/analysis/; classtype:trojan-activity; sid:29305; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 722forbidden1.sytes.net - Win.Trojan.MSIL variant outbound connection "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|722forbidden1|05|sytes|03|net"; fast_pattern:only; reference:url,file-analyzer.net/analysis/1076/5370/0/html; reference:url,www.virustotal.com/en/file/e2aa97c947cdf38e76749e863f73e31c94da76d84ba8b3a8a4342c253b2b934b/analysis/; classtype:trojan-activity; sid:29217; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain W3.NICHIFAN.COM"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|W3|08|NICHIFAN|03|COM|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/26cb61cae1f8c6ce15e2b3585f9d6050b81bbfeb93c307f7a6ab20d2f6a4c95f/analysis/; classtype:trojan-activity; sid:29347; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain buibala.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|buibala|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/49143355FED4993209A8A4168C6387E7DE8A71FDCC17971DB8E78471B2EA76A3/analysis/; classtype:trojan-activity; sid:29338; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain duli.1dxc.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|duli|04|1dxc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/7fc70b83ce36cf32ba8dcf131516de8791ba0d793299f6cedac18ba958e2b136/analysis/; classtype:trojan-activity; sid:29336; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ziriolo.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|ziriolo|05|sytes|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/9611a49d0181a2c81d319517fede0878c8112f8fd344a1c606c15cd63659e77e/analysis/; classtype:trojan-activity; sid:29388; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain w1.certdownload.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|w1|0C|certdownload|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/02ec8487567b2a358ee5ba32d510062d586b5acd1cf01e69c8d0ac9c0594331f/analysis/; classtype:trojan-activity; sid:29372; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain brilliantcock.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|brilliantcock|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a8a38aaa04cf1d44e119701e507c4c07fa5fcb002de458a9e40c8e8338604499/analysis/; classtype:trojan-activity; sid:29369; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.jlnle.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|jlnle|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a8b92328106c38e56954bb57058e866cb35ed5ba17be7177790d14802883080e/analysis/; classtype:trojan-activity; sid:29366; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain o.lijnl.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|05|lijnl|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a8b92328106c38e56954bb57058e866cb35ed5ba17be7177790d14802883080e/analysis/; classtype:trojan-activity; sid:29365; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nv.googledoc.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|nv|09|googledoc|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/6c861f326d854f9e7ffd052cdb00c170cfa6c214c7a893b3aac3d1ca2ec55f8e/analysis/; classtype:trojan-activity; sid:29427; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dtl6.mooo.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dtl6|04|mooo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/bf8540491b204edf944d0e8aaa3f89ce657e523dafddc589570aa9575f9bca8f/analysis/; classtype:trojan-activity; sid:29425; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shabidomain.4456dvr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|shabidomain|07|4456dvr|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac/analysis/; classtype:trojan-activity; sid:29479; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.myliveviewer.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0C|myliveviewer|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/b858c38f510aef652affbad5801b3f4fa3c2c87ccdf7eba80e9f2bd5e754d37a/analysis/; classtype:trojan-activity; sid:29463; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tbkfopaf.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|tbkfopaf|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/8be38b72da4e4d8ed43107b36c26bd27a25c78124a528e973f38996f490b0774/analysis/; classtype:trojan-activity; sid:29560; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lab.guidsys.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|lab|07|guidsys|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/df3112a235a6afab9e523b87229fcbdaa1d846a3ef92c5ed1611aa0ad7369214/analysis/; classtype:trojan-activity; sid:29558; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain roudan.serveftp.com - Win.Trojan.Dampt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|roudan|08|serveftp|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3ecfc43c7a82d30243e2bdfdb0254a5178f0390ecd864ef6f44398432acb4b2a/analysis/; classtype:trojan-activity; sid:29662; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain www.youu.pw - Win.Trojan.Truado"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|04|youu|02|pw|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/87ab59e92178018832b1a66df5b42c8cd962e805a844e59c6a14c028a093efd1/analysis/; classtype:trojan-activity; sid:29654; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain redirserver.net - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29779; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain linkconf.net - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29770; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain helpcenter2br6932.cc - Win.Trojan.Careto"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|helpcenter2br6932|02|cc|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29769; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain stylefun.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|stylefun|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29827; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain givemefilesnow.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|givemefilesnow|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29826; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain commandcenteral.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|commandcenteral|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29825; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pibadfixwug.kz - Win.Trojan.Pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pibadfixwug|02|kz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/9f3064634a48216f69d23c0887a71e879115a8388617d016239cf825e84e798b/analysis; classtype:trojan-activity; sid:29894; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cn0803.aiwooolsf.com - Win.Chikdos.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|cn0803|09|aiwooolsf|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c2a0e9f8e880ac22098d550a74940b1d81bc9fda06cebcf67f74782e55e9d9cc/analysis; classtype:trojan-activity; sid:29876; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|jwqakoy3wdktb0|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:29875; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dlls.proxysegura.com - Win.Trojan.Brabat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dlls|0B|proxysegura|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/c1fb2f577f3ae9697eb3c52a930c9f7eed293ffcf3745d1b64cc7932873bc19f/analysis/; classtype:trojan-activity; sid:29860; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flippmode.8s.nl - Win.Keylogger.Vacky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|flippmode|02|8s|02|nl|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/cb461e5a7891e357dd1be81b68229bb909648fe27c993adab26c0be7508f2c4f/analysis/; classtype:trojan-activity; sid:29917; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tm-obigurs.com - Win.Trojan.Matsnu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tm-obigurs|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/0183bce3002fc078d7d31245157820943d61f511b62b34b5ec6d0e830df5cc37/analysis/; classtype:trojan-activity; sid:29915; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saturno2014.net - Win.Trojan.Nortusa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|saturno2014|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/ae294e6667384b919547e24fef76e9564f672f19ee7e3e846a6c8931f1fbef4c/analysis/; classtype:trojan-activity; sid:29910; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain funnygnommi.com - ANDR.Trojan.FakeApp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|funnygnommi|03|com|00|"; fast_pattern:only; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29977; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain proxim.ircgalaxy.pl - virut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|proxim|09|ircgalaxy|02|pl|00|"; fast_pattern:only; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16304; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain put.ghura.pl - virut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|put|05|ghura|02|pl|00|"; fast_pattern:only; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16303; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain irc.zief.pl - virut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|irc|04|zief|02|pl|00|"; fast_pattern:only; reference:url,threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df; classtype:trojan-activity; sid:16302; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wowwiki.dynalias.net - Win.Trojan.Horsum"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|wowwiki|08|dynalias|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29993; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aliserv2013.ru - Win.Trojan.Stealzilla"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|aliserv2013|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/b9a12f9b6827144d84e65ef2ba454d77cb423c5e136f44bc8d3163d93b97f11f/analysis/; classtype:trojan-activity; sid:30075; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drags.su - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|drags|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30067; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xtremesoftnow.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|xtremesoftnow|02|ru|00|"; fast_pattern:only; classtype:trojan-activity; sid:30062; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain specpsa.com - Win.Trojan.Crowti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|specpsa|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2B0D6128A70F253D64E71988D7EEE2534247A4617DF2D1D283530AF372A0AAC3/analysis/; classtype:trojan-activity; sid:30046; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain spemtovam.com - Win.Trojan.Crowti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|spemtovam|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2B0D6128A70F253D64E71988D7EEE2534247A4617DF2D1D283530AF372A0AAC3/analysis/; classtype:trojan-activity; sid:30045; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain selekatamata.com - Win.Trojan.Crowti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|selekatamata|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2B0D6128A70F253D64E71988D7EEE2534247A4617DF2D1D283530AF372A0AAC3/analysis/; classtype:trojan-activity; sid:30044; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware CNC domain yuykaisa.com - Win.Trojan.Crowti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|yuykaisa|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/2B0D6128A70F253D64E71988D7EEE2534247A4617DF2D1D283530AF372A0AAC3/analysis/; classtype:trojan-activity; sid:30043; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain toporung.in.ua - Win.Trojan.Gamut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|toporung|02|in|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30086; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain serenaso.in.ua - Win.Trojan.Gamut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|serenaso|02|in|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30085; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dufoper.in.ua - Win.Trojan.Gamut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dufoper|02|in|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30084; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain arondo.in.ua - Win.Trojan.Gamut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|arondo|02|in|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30083; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bmwlife.net - Win.Trojan.Momibot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bmwlife|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/be042bca62bf0ca496a774557af944442b6f0616adf5e60b3ab2e208370a972b/analysis/; classtype:trojan-activity; sid:30077; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain weather-online.hopto.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|weather-online|05|hopto|03|org|00|"; fast_pattern:only; classtype:trojan-activity; sid:30189; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain top-facts.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|top-facts|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30188; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain pressforum.serveblog.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|pressforum|09|serveblog|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30181; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS Uroburos rootkit request for known malware domain forum.sytes.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|forum|05|sytes|03|net|00|"; fast_pattern:only; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,thehackernews.com/2014/03/uroburos-rootkit-most-sophisticated-3.html; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30174; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dronny.net.ua - Win.Trojan.InstallMonster"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dronny|03|net|02|ua|00|"; fast_pattern:only; classtype:trojan-activity; sid:30269; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alphaeffects.net - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|alphaeffects|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/e27f5219fbad3c655a5518d442a943c5dc357b7972fd1edd49e5fadac97d836b/analysis/; classtype:trojan-activity; sid:30286; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain palauone.com - TDL4"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|palauone|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/33fd3964e040d7c5b437a7a75fda6f17f655b50a2a1d50126269eaebb5010e6b/analysis/; classtype:trojan-activity; sid:30285; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain darxk.com - Win.Trojan.Minerd"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|darxk|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30550; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kucmcamaqsgmaiye.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|kucmcamaqsgmaiye|03|org|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30545; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aaukqiooaseseuke.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|aaukqiooaseseuke|03|org|00|"; fast_pattern:only; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30543; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain myplanethome.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|myplanethome|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/myplanethome.ru/information/; classtype:trojan-activity; sid:30542; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain endtheword.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|endtheword|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/a79cc40821f8d7f2ce82f4784f04ab1316cd9582b5f50b855d9c983e00ee65e1/analysis/; classtype:trojan-activity; sid:30541; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain domai.ddns2.biz - Win.Trojan.Beebone"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|domai|05|ddns2|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/domai.ddns2.biz/information/; classtype:trojan-activity; sid:30561; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain usteeptyshehoaboochu.ru - Win.Trojan.Uniemv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|usteeptyshehoaboochu|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/usteeptyshehoaboochu.ru/information/; classtype:trojan-activity; sid:30558; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain poochooshoozoxoachic.ru - Win.Trojan.Uniemv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|14|poochooshoozoxoachic|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/poochooshoozoxoachic.ru/information/; classtype:trojan-activity; sid:30557; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain widowylucenti.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|widowylucenti|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30750; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain thijmsmawworm.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|thijmsmawworm|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30749; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saynerclecak.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|saynerclecak|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30748; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pilbeamcanar.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|pilbeamcanar|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30747; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mpriagribik.com - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mpriagribik|03|com|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30746; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ilanjihaemta.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ilanjihaemta|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30745; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fowdensuljo.info - Win.Trojan.Ransom"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|fowdensuljo|04|info|00|"; fast_pattern:only; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30744; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain shagua911.cn - Win.Trojan.Targnik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|shagua911|02|cn|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/2f8fd384ddc6ed0b3386b64bc597d6512ab1cd58660fa463393086d61db551bf/analysis/; classtype:trojan-activity; sid:30775; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dzyhzbak666.com - Andr.Trojan.Oldboot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dzyhzbak666|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097/analysis/; classtype:trojan-activity; sid:30814; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain playerhome.info - Andr.Trojan.Waller"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|playerhome|04|info|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/8ea8ce79404dc6ba06fae16add7bc7859f23c70dbea601cad178dd4180e83299/analysis/; classtype:trojan-activity; sid:30879; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain github.ignorelist.com - Win.Trojan.Barys"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|github|0A|ignorelist|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/9d2b34289df06f44dc02fc0689b28ea4f9c11f7496a0e4c20f9d04152295d832/analysis/; classtype:trojan-activity; sid:30949; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain help.2012hi.hk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|help|06|2012hi|02|hk|00|"; fast_pattern:only; reference:cve,2012-0158; reference:url,www.virustotal.com/en/domain/help.2012hi.hk/information/; classtype:trojan-activity; sid:30989; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.51wana.com - Win.Trojan.Karnos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|51wana|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c6b1581aa0d8e1b95545d676f68aa32cacd55750e2562ddd66b979d7bc07ee47/analysis/; classtype:trojan-activity; sid:30981; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain whoischeck.biz - Win.Trojan.Hesperbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|whoischeck|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/domain/whoischeck.biz/information/; classtype:trojan-activity; sid:31050; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tibiakeylogger.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|tibiakeylogger|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/fe3e79a26f83c675a46645201577ed5ab6fefebe24fcdb6a0317ce733f5b9451/analysis/; reference:url,www.virustotal.com/en/url/3cd4be4f85e45ec812829ac3028e4a80b1532c5cf728386b7df5b33410aaeb69/analysis/; classtype:trojan-activity; sid:31049; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 2012.8lungu.com - Win.Trojan.Alurewo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|2012|06|8lungu|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/2012.8lungu.com/information/; classtype:trojan-activity; sid:31077; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smtp.noproblembro.com - Win.Trojan.Cryfile"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|smtp|0C|noproblembro|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/65b60abfe53b75ed59eaded22f1ee1645699e0776a3e3d2bc33e579c980c9c1d/analysis/; classtype:trojan-activity; sid:31071; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fudcrypt.com - Win.Trojan.Deedevil"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fudcrypt|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fudcrypt.com/information/; classtype:trojan-activity; sid:31133; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain uol.conhecaauol.com.br - Win.Trojan.Cahecon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|uol|0B|conhecaauol|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/uol.conhecaauol.com.br/information/; classtype:trojan-activity; sid:31120; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain red-move.tk - Win.Trojan.Marmoolak"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|red-move|02|tk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/red-move.tk/information/; classtype:trojan-activity; sid:31118; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bagi.ly - Win.Trojan.Garsuni"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|bagi|02|ly|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/185.27.134.172/information/; classtype:trojan-activity; sid:31115; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackshades.sytes.net - Win.Trojan.Blackshades"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|blackshades|05|sytes|04|net |00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c6b6bf24186f9161a66d4e55d5cca3005522af8be1822321ab2eb6e0885d015c/analysis/; classtype:trojan-activity; sid:31111; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackshades.no-ip.info - Win.Trojan.Blackshades"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|blackshades|05|no-ip|05|info |00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c53706b1f77ddfe524e8cfdc435ddb81dad1991253715e35c0fc20b973e6ba8a/analysis/; classtype:trojan-activity; sid:31110; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackshades.info.ovh.net - Win.Trojan.Blackshades"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|blackshades|04|info|03|ovh|04|net |00|"; fast_pattern:only; reference:url,virustotal.com/en/file/b8778262fb6331fba87c731de4801feff23fb4553e8fa74ae7fae3c0457fc3df/analysis/; classtype:trojan-activity; sid:31109; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain blackshades.info - Win.Trojan.Blackshades"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|blackshades|05|info |00|"; fast_pattern:only; reference:url,virustotal.com/en/file/b8778262fb6331fba87c731de4801feff23fb4553e8fa74ae7fae3c0457fc3df/analysis/; classtype:trojan-activity; sid:31108; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain r1.getapplicationmy.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|r1|10|getapplicationmy|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/r1.getapplicationmy.info/information/; classtype:trojan-activity; sid:31165; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain key.aggipulla.in - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|key|09|aggipulla|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31155; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fly.aggipulla.in - Win.Trojan.Fareit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fly|09|aggipulla|02|in|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/ip-address/108.61.152.106/information/; classtype:trojan-activity; sid:31152; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.give-us-btc.biz - Win.Trojan.Zusy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|give-us-btc|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31294; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vectortango.biz - Win.Trojan.Vectecoin"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|vectortango|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/8cc48dd39dccd0944516c086be2a368a38f7cb3d56e2a05aa0bf750fb52d63b4/analysis/; classtype:trojan-activity; sid:31270; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|nofbiatdominicana|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31448; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|mediaocean|04|home|02|pl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31447; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|16|maskaradshowdominicana|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31446; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|cd5c5c|03|com|00|"; fast_pattern:only; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31463; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|joydagaspy|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31457; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|infolooks|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31456; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain security-apps.biz - Andr.Trojan.Emmental"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|security-apps|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0dc7d89c49d70be397c5b66689aabd58d480b73e0071439f8ab2bdf591bc6672/analysis/; classtype:trojan-activity; sid:31516; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bastelfunboard.ch - Andr.Trojan.Emmental"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|bastelfunboard|02|ch|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/0dc7d89c49d70be397c5b66689aabd58d480b73e0071439f8ab2bdf591bc6672/analysis/; classtype:trojan-activity; sid:31514; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain greatfindpage.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|greatfindpage|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:31509; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain getsearch.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|getsearch|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:31508; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain casion-onlinepokies.com - Win.Trojan.Glupteba"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|13|casino-onlinepokies|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/f2bec25c90d0a1526ccb4c8fca15801a277658c7d944ce61a8320be1ebf5c428/analysis/; classtype:trojan-activity; sid:31602; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain worldvoicetrip.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|worldvoicetrip|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/890f88af1756ce3296ca58f26f3e96fcace00048bc5f1c13a62b896e90ddea26/analysis/; classtype:trojan-activity; sid:31632; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain games-playbox.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|games-playbox|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/890f88af1756ce3296ca58f26f3e96fcace00048bc5f1c13a62b896e90ddea26/analysis/; classtype:trojan-activity; sid:31631; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|verify-terms|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/verify-terms.com/information/; classtype:trojan-activity; sid:31643; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|prepara|08|biricell|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a9c38b5b26532623d692ef0291ad412ce2c2fd8e46e4f6ed85d1e0d010617d0a/analysis/; classtype:trojan-activity; sid:31640; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain horses.silverlitedirect.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|horses|10|silverlitedirect|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/horses.silverlitedirect.ru/information/; classtype:trojan-activity; sid:31658; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain forces.moimains.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|forces|08|moimains|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/forces.moimains.ru/information/; classtype:trojan-activity; sid:31657; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain facebstats.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|facebstats|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/facebstats.com/information/; classtype:trojan-activity; sid:31656; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain alquimedes.net - Win.Trojan.Ragua"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|alquimedes|03|net|00|"; fast_pattern:only; reference:url,securelist.com/blog/research/66108/el-machete/; reference:url,www.virustotal.com/en/file/8a510076a2ce8c3958fd953dce986185df0a255a23d736ae12b0a89a412ff080/analysis/; classtype:trojan-activity; sid:31710; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|flordeliskm26|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31825; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rolex216.8s.nl - Win.Trojan.POSCardStealer"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|rolex216|02|8s|02|nl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/rolex216.8s.nl/information/; classtype:trojan-activity; sid:31894; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hoqou.su - Win.Trojan.POSCardStealer"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hoqou|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/hoqou.su/information/; classtype:trojan-activity; sid:31893; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fbi.gov.id74283910382.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|fbi|03|gov|0D|id74283910382|02|in|00|"; fast_pattern:only; classtype:trojan-activity; sid:31864; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain welcomemyads.com - Andr.Trojan.Locker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|welcomemyads|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:31863; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wheelreply|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31922; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sellsmall|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31920; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|enemydont|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31918; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vampire123|05|zapto|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1f4b95d7fc20a66acc09f8246f5a936a8263b76aebf973efa45cfe255415d5d1/analysis/; classtype:trojan-activity; sid:31917; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain companies-search.com - Win.Trojan.Ezbro"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|companies-search|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/companies-search.com/information/; classtype:trojan-activity; sid:31953; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wm1.ns01.us - Win.Trojan.Plugx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wm1|04|ns01|02|us|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32178; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain organfriandpopul.su - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|organfriandpopul|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/organfriandpopul.su/information/; classtype:trojan-activity; sid:32300; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jollyhollypanzer.com - Win.Trojan.Waski"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|jollyhollypanzer|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/jollyhollypanzer.com/information/; classtype:trojan-activity; sid:32299; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain royalgourp.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|royalgourp|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/; classtype:trojan-activity; sid:32288; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain war.winxps.com - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|war|06|winxps|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41/analysis/; reference:url,virustotal.com/en/file/5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926/analysis/; classtype:trojan-activity; sid:32283; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain war.webok.net - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|war|05|webok|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41/analysis/; reference:url,virustotal.com/en/file/5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926/analysis/; classtype:trojan-activity; sid:32282; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain war.geekgalaxy.com - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|war|0A|geekgalaxy|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41/analysis/; reference:url,virustotal.com/en/file/5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926/analysis/; classtype:trojan-activity; sid:32281; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain war.eatuo.com - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|war|05|eatuo|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41/analysis/; reference:url,virustotal.com/en/file/5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926/analysis/; classtype:trojan-activity; sid:32280; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain revjj.syshell.org - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|revjj|07|syshell|03|org|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41/analysis/; reference:url,virustotal.com/en/file/5475ae24c4eeadcbd49fcd891ce64d0fe5d9738f1c10ba2ac7e6235da97d3926/analysis/; classtype:trojan-activity; sid:32279; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain images.iphone-android-mobile.com - Win.Trojan.Gresim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|images|15|iphone-android-mobile|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/76b3f7186bd9e6b24b708fdcd9283b824c1b42f562979e28e5d1291e56090770/analysis/; classtype:trojan-activity; sid:32278; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cache.bsqlserver.com - Win.Trojan.Hesechca"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cache|0A|bsqlserver|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/dcba379bcb415d95f0e4412c6dcbdc6726b211a4ec0874111d308fbaba4ca3ba/analysis/; classtype:trojan-activity; sid:32271; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain usaserverav.dynsdns.tv - Win.Trojan.Cakwerd"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|usaserverav|07|dynsdns|02|tv|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/b24d47f811138b6d876b9906fee0718a25d48a95e7207543443ab2f36e19fe9a/analysis/; classtype:trojan-activity; sid:32340; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 1.lastnight.z8.ru - Win.Trojan.Maener"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|1|09|lastnight|02|z8|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32326; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain deltaping.ru - Win.Trojan.Kovter"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|deltaping|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/f278618da7fa84b2ddae2de38f91cd669110528f5b170bb1c03e1efe71fd7215/analysis/; classtype:trojan-activity; sid:32325; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain visit-ankara.com - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|visit-ankara|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/531baba0284a111245d187441673ab880374dcdbe832613569e198a6ab0fe4f7/analysis/; classtype:trojan-activity; sid:32450; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sellerpro.in.ua - Win.Trojan.Backoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sellerpro|02|in|02|ua|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/4777c447bf140c23ec17d0a20c41bdd7b2272b330f10271505a18e98b934c218/analysis/; classtype:trojan-activity; sid:32448; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain standartnevvs.com - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32664; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smigroup-online.co.uk - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32663; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rnil.am - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32662; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain novinitie.com - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32659; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nato.nshq.in - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32657; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain n0vinite.com - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32656; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain login-osce.org - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32654; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kavkazcentr.info - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32653; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain baltichost.org - Group 74"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32652; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain deruserbikl.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|deruserbikl|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/deruserbikl.com/information/; classtype:trojan-activity; sid:32881; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wlkan|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/944df4f8307f53132bef58d5f74ff7473512b8c03461d60317134ab024213e18/analysis/; classtype:trojan-activity; sid:32985; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain outlookexchange.ne"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|outlookexchange|02|ne|00|"; fast_pattern:only; classtype:trojan-activity; sid:33069; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nickgoodsite.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|nickgoodsite|02|co|02|uk|00|"; fast_pattern:only; classtype:trojan-activity; sid:33068; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain outlookscansafe.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|outlookscansafe|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:33067; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain junomaat81.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|junomaat81|02|us|00|"; fast_pattern:only; classtype:trojan-activity; sid:33066; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain msoutexchange.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|msoutexchange|02|us|00|"; fast_pattern:only; classtype:trojan-activity; sid:33065; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lifehealthsanfrancisco2015.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|1A|lifehealthsanfrancisco2015|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:33064; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dmforever.biz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dmforever|03|biz|00|"; fast_pattern:only; classtype:trojan-activity; sid:33057; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rpgallerynow.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|rpgallerynow|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:33056; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ellismikepage.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ellismikepage|04|info|00|"; fast_pattern:only; classtype:trojan-activity; sid:33055; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ford-mustang.ro"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ford-mustang|02|ro|00|"; fast_pattern:only; classtype:trojan-activity; sid:33151; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ronpc.net - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ronpc|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33141; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain youare.sexidude.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|youare|08|sexidude|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33139; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mierda.notengodominio.com - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|mierda|0E|notengodominio|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33131; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain legion.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|legion|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33130; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain lalundelau.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|lalundelau|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33129; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gusanodeseda.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|gusanodeseda|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33128; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain defintelsucks.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|defintelsucks|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33124; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain booster.estr.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|booster|04|estr|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33120; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bfisback.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bfisback|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33118; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bf2back.sinip.es - Win.Trojan.Mariposa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bf2back|05|sinip|02|es|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/868c15df319b8c01eed0fa7d47d91986806391e15513e7047f201249fc29ff5b/analysis/; classtype:trojan-activity; sid:33117; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|34|oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq|03|b32|03|i2p|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1B8EA8BBD91995F7A9E1C5F6AAF8FA098940C40F025D20D4B00E34BB8839E288/analysis/; classtype:trojan-activity; sid:33210; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain infandibula.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|infandibula|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1B8EA8BBD91995F7A9E1C5F6AAF8FA098940C40F025D20D4B00E34BB8839E288/analysis/; classtype:trojan-activity; sid:33209; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain floracrunch.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|floracrunch|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/34561763c4c43a8811d7eb404f5dee72a17d2fff3e20f458fc6a9247043ecbb6/analysis/; classtype:trojan-activity; sid:33327; rev:2;) # alert udp any any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hitechclub.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hitechclub|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/77fbe90d2a6b73aa869b13cccab9e645110dc75859c89763ec7732fa18a358ac/analysis/; classtype:trojan-activity; sid:33326; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain athenaloader.biz - Win.Trojan.Athena"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|athenaloader|03|biz|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/c09075245b525dfb565a257ab483b3434684ba9dd941e327ae865de8e2288043/analysis/; classtype:trojan-activity; sid:33673; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wetguqan.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|wetguqan|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33850; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fimzusoln.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|fimzusoln|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33849; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dreplicag.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|dreplicag|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33848; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kilaxuntf.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|kilaxuntf|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33847; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain horticartf.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|horticartf|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33846; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain quartlet.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|quartlet|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33845; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tabidzuwek.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|tabidzuwek|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33838; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xablopefgr.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|xablopefgr|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33837; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain linturefa.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|linturefa|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33836; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain getb.tmpbr.net - Win.Trojan.Pwexes"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|getb|05|tmpbr|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/getb.tmpbr.net/information/; classtype:trojan-activity; sid:33995; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain insidiouspool.com - Win.Trojan.Insidious"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|insidiouspool|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/insidiouspool.com/information/; classtype:trojan-activity; sid:33991; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain getb.tmpbr.net - Win.Trojan.Trioptid"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|server1|07|bnk1415|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/server1.bnk1415.net/information/; classtype:trojan-activity; sid:33988; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jamel100pirar.com.br - Win.Trojan.Banload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|jamel100pirar|03|com|02|br|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/jamel100pirar.com.br/information/; classtype:trojan-activity; sid:34129; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ahoforaje.ru - Win.Trojan.Scarsi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|ahoforaje|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/97f915ea23eb08cb0a18530f30430afc467bb080108d9ea2176112a1f6b82765/analysis/; classtype:trojan-activity; sid:34107; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain legendastar.ru - Win.Backdoor.Nirunte"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|legendastar|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/legendastar.ru/information/; classtype:trojan-activity; sid:34468; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bolsilloner.es"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|bolsilloner|02|es|00|"; fast_pattern:only; reference:url,www.virustotal.com/file/34fcb576a388a64595ea9290c49e777d95c2e771302fa8e7f65c91f31caeb4d8/analysis/; classtype:trojan-activity; sid:25817; rev:7;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e.mssm.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|e|04|mssm|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18165; rev:10;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.yx240.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|yx240|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18164; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.weilingcy.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|weilingcy|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18162; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.street08.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|street08|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18161; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.stony-skunk.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|stony-skunk|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18160; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.kingsoftduba2009.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|kingsoftduba2009|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18151; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.9292cs.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|9292cs|02|cn|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18137; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.w22rt.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|w22rt|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18129; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.uwonderfull.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|uwonderfull|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18128; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.phoroshop.es"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|phoroshop|02|es|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18123; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.linzhiling123.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|linzhiling123|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18121; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.hao1345.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|hao1345|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18118; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain phoroshop.es"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|phoroshop|02|es|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18108; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain e.msssm.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|e|05|msssm|03|com|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18106; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain b.9s3.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|b|03|9s3|04|info|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18104; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 5yvod.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|5yvod|03|net|00|"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18103; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain windetrusty.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|windetrusty|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34708; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wekustines.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wekustines|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34707; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain silawecxla.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|silawecxla|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34704; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain saqunold.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|saqunold|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34703; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain righletfoligh.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|righletfoligh|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34702; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain renferolto.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|renferolto|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34700; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pomdonekw.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|pomdonekw|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34697; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain polutenign.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|polutenign|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34696; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nawertoby.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nawertoby|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34694; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain masquarten.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|masquarten|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34693; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain letgrownast.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|letgrownast|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34692; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leladingna.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|leladingna|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34691; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain latemiishe.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|latemiishe|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34690; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftjuunbesto.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|ftjuunbesto|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34685; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dilelanang.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dilelanang|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34683; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain betroninsi.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|betroninsi|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34682; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain berigusaf.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|berigusaf|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34681; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bejustoftun.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|bejustoftun|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34680; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain andbohemut.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|andbohemut|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34679; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain servelatmiru.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|servelatmiru|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34669; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reswahatce.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|reswahatce|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34667; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rabbutdownlitt.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|rabbutdownlitt|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34666; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain refherssuce.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|refherssuce|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34665; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dinghareun.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|dinghareun|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34659; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cawasuse.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cawasuse|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34658; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain molokalitra.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|molokalitra|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34656; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain litramoloka.ru - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|litramoloka|02|ru|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34655; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain litramoloka.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|litramoloka|03|com|00|"; fast_pattern:only; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:34654; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain homerlindo2.gotdns.org - Win.Trojan.Banker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|homerlindo2|06|gotdns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/8503b7e57c25d1e54833ea4e7b243fb7b44036672e898c2799af16bec2aa1a95/analysis/; classtype:trojan-activity; sid:34852; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sanjosemaristas.com - Win.Trojan.Cozybear"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|sanjosemaristas|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sanjosemaristas.com/information/; classtype:trojan-activity; sid:34829; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain getiton.hants.org.uk - Win.Trojan.Cozybear"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|getiton|05|hants|03|org|02|uk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/getiton.hants.org.uk/information/; classtype:trojan-activity; sid:34827; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pvgnm.com - Win.Trojan.Urausy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|pvgnm|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/1e58f55d35c71f42c56ddd3b50f3ee32a8632dbd6ced812882f20a8228902a39/analysis/; classtype:trojan-activity; sid:34929; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known adware domain cloud4ads.com - Win.Adware.PullUpdate"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cloud4ads|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cloud4ads.com/information/; classtype:misc-activity; sid:34926; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gotrubs.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gotrubs|02|us|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gotrubs.us/information/; classtype:trojan-activity; sid:35046; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain massenaufgebot.markettouch.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|massenaufgebot|0B|markettouch|03|net|00|"; fast_pattern:only; classtype:trojan-activity; sid:35255; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain loawelis.org - Win.Trojan.TorrentLocker/Teerac"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|loawelis|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35392; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bokepros.net - Win.Trojan.TorrentLocker/Teerac"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|bokepros|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35391; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain golemerix.com - Win.Trojan.TorrentLocker/Teerac"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|golemerix|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35390; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain poletaute.org - Win.Trojan.TorrentLocker/Teerac"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|poletaute|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35389; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jctj.yongzhe.pw - Win.Trojan.Baisogu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jctj|07|yongzhe|02|pw|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/jctj.yongzhe.pw/information/; classtype:trojan-activity; sid:35470; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wdwwdwfwd|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/wdwwdwfwd.net/information/; classtype:trojan-activity; sid:35803; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wdwwdwfwd|05|net76|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/wdwwdwfwd.net76.net/information/; classtype:trojan-activity; sid:35802; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ledshoppen|02|nl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/ledshoppen.nl/information/; classtype:trojan-activity; sid:35790; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|xenbooter|02|tk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/xenbooter.tk/information/; classtype:trojan-activity; sid:35841; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|vbooter|02|tk|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/vbooter.tk/information/; classtype:trojan-activity; sid:35840; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain movielibraryr.servemp3.com - Win.Trojan.Agent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|movielibraryr|08|servemp3|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/movielibraryr.servemp3.com/information/; classtype:trojan-activity; sid:36047; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kidneyjn.3utilities.com - Win.Trojan.Agent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|kidneyjn|0A|3utilities|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/kidneyjn.3utilities.com/information/; classtype:trojan-activity; sid:36046; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain domainnc.myvnc.com - Win.Trojan.Agent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|domainnc|05|myvnc|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/domainnc.myvnc.com/information/; classtype:trojan-activity; sid:36045; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain checekhelp.serveblog.net - Win.Trojan.Agent"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|checekhelp|09|serveblog|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/checekhelp.serveblog.net/information/; classtype:trojan-activity; sid:36044; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain faq-adobe-directs.com - Win.Trojan.MWZLesson"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|faq-adobe-directs|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/faq-adobe-directs.com/information/; classtype:trojan-activity; sid:36103; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain news.net-freaks.com - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|news|0A|net-freaks|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/news.net-freaks.com/information/; classtype:trojan-activity; sid:36393; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnsfor.dnsfor.me - Win.Trojan.DustySky"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dnsfor|06|dnsfor|02|me|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dnsfor.dnsfor.me/information/; classtype:trojan-activity; sid:36389; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yidjskdfjskdfsdf.cf - Necurs"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|yidjskdfjskdfsdf|02|cf|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/yidjskdfjskdfsdf.cf/information/; classtype:trojan-activity; sid:36381; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain smilydesign.com - Win.Trojan.AridViper"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|smilydesign|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/smilydesign.com/information/; classtype:trojan-activity; sid:36467; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|marmitariakisabor|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/marmitariakisabor.com/information/; classtype:trojan-activity; sid:36520; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|fas-go-jp-security|0B|kensatsutyo|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fas-go-jp-security.kensatsutyo.com/information/; classtype:trojan-activity; sid:36537; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain win-upd.su - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|win-upd|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/win-upd.su/information/; classtype:trojan-activity; sid:36731; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vzvju.org - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vzvju|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/vzvju.org/information/; classtype:trojan-activity; sid:36730; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain urirq.com - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|urirq|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/urirq.com/information/; classtype:trojan-activity; sid:36729; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oxjefy.su - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|oxjefy|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/oxjefy.su/information/; classtype:trojan-activity; sid:36728; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oruedk.com - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|oruedk|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/oruedk.com/information/; classtype:trojan-activity; sid:36727; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dtbnox.com - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dtbnox|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/dtbnox.com/information/; classtype:trojan-activity; sid:36726; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain brynj.su - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|brynj|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/brynj.su/information/; classtype:trojan-activity; sid:36725; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain axnlze.net - Win.Trojan.Sefnit"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|axnlze|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/axnlze.net/information/; classtype:trojan-activity; sid:36724; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain aerofix.eu - Win.Trojan.Sathurbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|aerofix|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/aerofix.eu/information/; classtype:trojan-activity; sid:36669; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain inuxland.eu - Win.Trojan.Sathurbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|inuxland|02|eu|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/inuxland.eu/information/; classtype:trojan-activity; sid:36668; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain newworldtraf.pro - Win.Trojan.Sathurbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|newworldtraf|03|pro|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/newworldtraf.pro/information/; classtype:trojan-activity; sid:36667; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|down|04|rtba|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/down.rtba.info/information/; classtype:trojan-activity; sid:36775; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|count|03|9i1|02|cn|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/count.9i1.cn/information/; classtype:trojan-activity; sid:36774; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS GlassRAT domain echotec.asia"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|echotec|04|asia|00|"; fast_pattern:only; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36906; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|affiliatesys|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/affiliatesys.info/information/; classtype:trojan-activity; sid:37046; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|coding-revolution|02|to|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/url/c729b61c3942ce98c9fdce86f0c84a16804f91147134571649faef7514b15a7c/analysis/; classtype:trojan-activity; sid:37322; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"holanetworksltd|0A|netdna-cdn|03|com"; fast_pattern:only; classtype:policy-violation; sid:37309; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"holanetworksltd|0A|netdna-ssl|03|com"; fast_pattern:only; classtype:policy-violation; sid:37308; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|leotindall|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/leotindall.com/information/; classtype:trojan-activity; sid:37295; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuckingyoursister.ru - Win.Trojan.Derkziel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|fuckingyoursister|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/fuckingyoursister.ru/information/; classtype:trojan-activity; sid:37373; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain derkziel.su - Win.Trojan.Derkziel"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|derkziel|02|su|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/derkziel.su/information/; classtype:trojan-activity; sid:37372; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hefromefro.zapto.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hefromefro|05|zapto|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/hefromefro.zapto.org/information/; classtype:trojan-activity; sid:37491; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yamakdc.duckdns.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|yamakdc|07|duckdns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/yamakdc.duckdns.org/information/; classtype:trojan-activity; sid:37490; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain trojandobyel.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|trojandobyel|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/trojandobyel.no-ip.biz/information/; classtype:trojan-activity; sid:37489; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain spyware-dns.zapto.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|spyware-dns|05|zapto|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/spyware-dns.zapto.org/information/; classtype:trojan-activity; sid:37487; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain queenbeez.zapto.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|queenbeez|05|zapto|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/queenbeez.zapto.org/information/; classtype:trojan-activity; sid:37486; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain oiraqo.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|oiraqo|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/oiraqo.no-ip.biz/information/; classtype:trojan-activity; sid:37485; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain miserablelyles.no-ip.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|miserablelyles|05|no-ip|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/miserablelyles.no-ip.org/information/; classtype:trojan-activity; sid:37484; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hawleryhacker.no-ip.biz - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|hawleryhacker|05|no-ip|03|biz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/hawleryhacker.no-ip.biz/information/; classtype:trojan-activity; sid:37481; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eduardodeath.no-ip.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|eduardodeath|05|no-ip|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/eduardodeath.no-ip.org/information/; classtype:trojan-activity; sid:37479; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain clientten1.ddns.net - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|clientten1|04|ddns|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/clientten1.ddns.net/information/; classtype:trojan-activity; sid:37478; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cleintten1.ddns.net - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cleintten1|04|ddns|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cleintten1.ddns.net/information/; classtype:trojan-activity; sid:37476; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cleintten.duckdns.org - Win.Trojan.Nancrat"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|cleintten|07|duckdns|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cleintten.duckdns.org/information/; classtype:trojan-activity; sid:37475; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|1C|wizzmonetize-factory-windows|08|wizzdevs|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/wizzmonetize-factory-windows.wizzdevs.com/information/; classtype:trojan-activity; sid:38300; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jqtnohzbck5k.com - Bedep"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|jqtnohzbck5k|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/jqtnohzbck5k.com/information/; classtype:trojan-activity; sid:38366; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|gowasstalpa|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/gowastalpa.com/information/; classtype:trojan-activity; sid:38728; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|nasedrontit|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/nasedrontit.com/information/; classtype:trojan-activity; sid:38727; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|haduseeventsed|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/haduseeventsed.com/information/; classtype:trojan-activity; sid:38726; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain iraqicaht.ddns.net - Win.Trojan.Lorozoad"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|iraqicaht|04|ddns|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/iraqicaht.ddns.net/information/; classtype:trojan-activity; sid:39368; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain reg.hd83rd.ru - Win.Malware.Furtim"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|reg|06|hd83rd|02|ru|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/reg.hd83rd.ru/information/; classtype:trojan-activity; sid:39429; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|homebuyline|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/homebuyline.com/information/; classtype:trojan-activity; sid:39446; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|buyitave|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/buyitave.com/information/; classtype:trojan-activity; sid:39445; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|gettort1|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/1cccc844fcdb255f833a9ef36c2d3c690557b828ed5d0a45d068aeb2af1faac7/analysis/1466174133/; classtype:trojan-activity; sid:39648; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|secpressnetwork|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/1cccc844fcdb255f833a9ef36c2d3c690557b828ed5d0a45d068aeb2af1faac7/analysis/1466174133/; classtype:trojan-activity; sid:39647; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain local.it-desktop.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|local|0A|it-desktop|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/local.it-desktop.com/information/; classtype:trojan-activity; sid:39723; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain glb.it-desktop.com - pisloader"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|glb|0A|it-desktop|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/glb.it-desktop.com/information/; classtype:trojan-activity; sid:39722; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain yejia.blackbeny.com - Win.Trojan.Lientchtp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|yejia|09|blackbeny|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/yejia.blackbeny.com/information/; classtype:trojan-activity; sid:39784; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tech.decipherment.net - Win.Trojan.Lientchtp"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|tech|0C|decipherment|03|net|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/tech.decipherment.net/information/; classtype:trojan-activity; sid:39783; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain securedesignuk.com - Win.Trojan.Shakti"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|securedesignuk|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/securedesignuk.com/information/; classtype:trojan-activity; sid:40024; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bettitotuld.com - Donoff"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|bettitotuld|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/bettitotuld.com/information/; classtype:trojan-activity; sid:39967; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain phoneupdates.xyz - Win.Trojan.Sapertilz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|phoneupdates|03|xyz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/phoneupdates.xyz/information/; classtype:trojan-activity; sid:40286; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftwindowsupdate.org - Win.Trojan.Sapertilz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|16|microsoftwindowsupdate|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/microsoftwindowsupdate.org/information/; classtype:trojan-activity; sid:40285; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain microsoftware.xyz - Win.Trojan.Sapertilz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|microsoftware|03|xyz|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/microsoftware.xyz/information/; classtype:trojan-activity; sid:40284; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain core.ircgalaxy.pl - Virut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|core|09|ircgalaxy|02|pl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/core.ircgalaxy.pl/information/; classtype:trojan-activity; sid:40868; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sys.zief.pl - Virut"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|sys|04|zief|02|pl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sys.zief.pl/information/; classtype:trojan-activity; sid:40867; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wilcarobbe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wilcarobbe|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41130; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ritsoperrol.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|ritsoperrol|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41129; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain littjohnwilhap.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|littjohnwilhap|02|ru|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41125; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain efax.pfdregistry.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|efax|0B|pfdregistry|03|net|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41123; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|editprod|0B|waterfilter|02|in|02|ua|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41122; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.August"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pg4pszczyna|03|edu|02|pl|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/pg4pszczyna.edu.pl/information/; classtype:trojan-activity; sid:41171; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain devid.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|devid|04|info|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/devid.info/information/; classtype:trojan-activity; sid:31655; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zkzak.np-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zkzak|05|np-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29858; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vichtorio-israeli.zapto.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|vichtorio-israeli|05|zapto|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29857; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain vanonymous.no-ip.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vanonymous|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29856; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain school-pc.sytes.net - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|school-pc|05|sytes|03|net"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29855; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain rouge166821.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rouge166821|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29854; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain no99.zapto.org - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|no99|05|zapto|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29853; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mozaya46415.zapto.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mozaya46415|05|zapto|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29852; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mootje01.no-ip.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mootje01|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29851; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mntm.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mntm|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29850; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mmrick.zapto.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|mmrick|05|zapto|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29849; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mda.no-ip.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mda|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29848; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jnyn-99.no-ip.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|jnyn-99|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29847; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain heartbraker.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|heartbraker|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29846; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain hackers1990.no-ip.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hackers1990|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29845; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain fuck-all.no-ip.info - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fuck-all|05|no-ip|04|info"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29844; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain debili1.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|debili1|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29843; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dd.no-ip.bz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|dd|05|no-ip|02|bz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29842; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain boucraa.no-ip.org- Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|boucraa|05|no-ip|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29841; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain b-trese.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|b-trese|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29840; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ahmedghost.no-ip.info - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ahmedghost|05|no-ip|04|info"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29839; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain abocasse.zapto.org - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|abocasse|05|zapto|03|org"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29838; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DELETED BLACKLIST DNS request for known malware domain abdnjworm.no-ip.biz - Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|abdnjworm|05|no-ip|03|biz"; fast_pattern:only; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2; classtype:trojan-activity; sid:29837; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain cifss.org - Win.Trojan.Cozybear"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|cifss|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/cifss.org/information/; classtype:trojan-activity; sid:34826; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain did.ijinshan.com - Win.Trojan.Jadtre"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|did|08|ijinshan|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/7afc3aa4453603d6b11315c3a6a1d80fd36b42fc03f17116c92bc465680b0089/analysis/; classtype:trojan-activity; sid:33881; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Uint8ClampedArray("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39259; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Uint8Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39258; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Uint32Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39257; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Uint16Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39256; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Int8Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39255; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Int32Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39254; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Int16Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39253; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Float64Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39252; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_server,established; file_data; content:"Float32Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39251; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Uint8ClampedArray("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39250; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Uint8Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39249; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Uint32Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39248; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Uint16Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39247; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Int8Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39246; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Int32Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39245; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt"; flow:to_client,established; file_data; content:"Int16Array("; fast_pattern; nocase; content:"postMessage("; within:100; nocase; content:"["; within:20; content:"array"; nocase; content:"buffer"; within:7; nocase; reference:cve,2016-3210; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-063; classtype:attempted-user; sid:39244; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-OTHER HTTP Evader ICY header evasion attempt"; flow:to_client,established; content:"icy"; depth:3; fast_pattern; nocase; content:!"icy-"; nocase; classtype:non-standard-protocol; sid:38362; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer invalid object access memory corruption attempt"; flow:to_client,established; file_data; content:".length|3B|i++"; nocase; content:"+= String.fromCharCode("; within:100; nocase; content:".charCodeAt(i)"; within:100; pcre:"/iframe\s+src\s*\x3D\s*(\x22|\x27)[^\1]+\x2Egif\1\s+onload\s*\x3D\s*(\x22|\x27)[^\2]+\x28event\x29\2/smi"; reference:cve,2010-0249; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; classtype:attempted-user; sid:19937; rev:12;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.theoffstage.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|theoffstage|03|com|00|"; fast_pattern:only; classtype:trojan-activity; sid:18094; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST User-Agent known malicious user-agent - Microsoft Internet Explorer - Win.Trojan.Backspace"; flow:to_server,established; content:"User-Agent|3A| Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/en/file/a3be365dbde0e8e2f7706787ccd8db082e1fd5ed539e7605a2fab2df4df5524d/analysis/; classtype:trojan-activity; sid:35569; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kankan.com - Win.Trojan.KanKan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|kankan|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28241; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BLACKLIST User-Agent known malicious user-agent string - realUpdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: realUpdate|0D 0A|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/cb7a29d1dec378f94b394ba4df3dc1fe5fe3b8d1d4ca3e70da3a611b67588ae7/analysis/; classtype:trojan-activity; sid:32944; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BLACKLIST User-Agent known malicious user-agent string - MSDW - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: MSDW|0D 0A|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33241; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BLACKLIST User-Agent known malicious user-agent string myupdate"; flow:to_server,established; content:"User-Agent: myupdate"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/c9189ab85dcb7782bd048d1b91b6c2c414d6f7e7197f1e7a11189a92ad43c9f7/analysis/; classtype:trojan-activity; sid:32503; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST User-Agent known malicious user-agent string for Safari version that does not exist"; flow:to_server,established; content:"Mozilla/5.0 (Macintosh|3B| Intel Mac OS x 10_10) AppleWebKit/600.1.25 (KHTML, like gecko) Version/8.0 Safari/600.1.25"; fast_pattern:only; reference:url,www.virustotal.com/en/file/a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b/analysis/; classtype:trojan-activity; sid:32675; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer null object access attempt"; flow:to_client,established; file_data; content:"Base64.decode"; base64_decode:bytes 10000,offset 2, relative; base64_data; content:"offsetParent"; fast_pattern; content:"null"; within:10; nocase; content:"createElement"; content:"datalist"; within:20; content:"createElement"; content:"table"; within:20; reference:cve,2013-1347; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-038; classtype:attempted-user; sid:26570; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain api.vk.com - Win.Trojan.Maener"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|api|02|vk|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32327; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tempuri.org - Win.Trojan.Soaphrish"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|tempuri|03|org|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/tempuri.org/information/; classtype:trojan-activity; sid:32201; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sr|05|symcd|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/sr.symcd.com/information/; classtype:trojan-activity; sid:32174; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain s2.symcb.com - Osx.Backdoor.iWorm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|s2|05|symcb|03|com|00|"; fast_pattern:only; reference:url,www.virustotal.com/en/domain/s2.symcb.com/information/; classtype:trojan-activity; sid:32173; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BLACKLIST Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1; reference:url,www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/; classtype:trojan-activity; sid:32124; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ftp.drivehq.com - Win.Trojan.Deventiz"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|07|drivehq|03|com|00|"; fast_pattern:only; reference:url,virustotal.com/en/file/f4f494b4e7cdad6a910470998eb52c501e94173d89e343ec28fa24124c8d8eb4/analysis/; classtype:trojan-activity; sid:30054; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"MSXML2."; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29705; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F6D90F16-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29704; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F6D90F14-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29703; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F6D90F12-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29702; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F6D90F11-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29701; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F39-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29700; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F36-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29699; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F35-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29698; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F34-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29697; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F33-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29696; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"F5078F32-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29695; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"373984C9-B845-449B-91E7-45AC83036ADE"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29694; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_server,established; file_data; content:"2933BF94-7B36-11D2-B20E-00C04F983E60"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29693; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"MSXML2."; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29692; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F6D90F16-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29691; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F6D90F14-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29690; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F6D90F12-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29689; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F6D90F11-9C73-11D3-B32E-00C04F990BB4"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29688; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F39-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29687; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F36-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29686; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F35-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29685; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F34-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29684; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F33-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29683; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft XML Core Services same origin policy bypass attempt"; flow:to_client,established; file_data; content:"F5078F32-C551-11D3-89B9-0000F81FE221"; fast_pattern:only; content:".loadXML"; nocase; content:".transformNode"; nocase; content:"]*?href\s*?=\s*?[\x22\x27]?file\x3a\x2f\x2f/i"; reference:cve,2014-0266; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-005; classtype:attempted-recon; sid:29682; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED rule attempt"; flow:to_client,established; file_data; content:"asdfasdfashdfjfgku"; classtype:attempted-user; sid:28191; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer RDS.Dataspace ActiveX object code execution attempt"; flow:to_client,established; file_data; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; content:"Shell.application"; nocase; pcre:"/(\w+)\s*?\x3D\s*?document\x2Ecreateelement.*?\1\x2EsetAttribute.*?BD96C556-65A3-11D0-983A-00C04FC29E36.*?\1\x2EcreateObject\x28[\x22\x27]Shell\x2EApplication/smi"; reference:bugtraq,17462; reference:cve,2006-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-014; classtype:attempted-user; sid:21081; rev:9;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_client,established; content:"Content-Type|3A|"; http_header; content:"euc-jp"; within:64; fast_pattern; nocase; http_header; file_data; isdataat:4094,relative; content:"|8F|"; pcre:"/^[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/R"; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:27722; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Internet Explorer Adodb.Stream ActiveX Object Access CreateObject Function"; flow:to_client,established; file_data; content:"CreateObject"; nocase; content:"Adodb.stream"; distance:0; fast_pattern; nocase; pcre:"/CreateObject\(\s*\x22Adodb\.stream/smi"; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:4983; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access"; flow:to_client,established; file_data; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; reference:bugtraq,793; reference:cve,1999-1110; classtype:attempted-user; sid:4152; rev:11;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 85"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|85|00|"; fast_pattern:only; classtype:trojan-activity; sid:25141; rev:3;) # alert tcp $HOME_NET [139,445] -> any any (msg:"DELETED NETBIOS SMB named pipe bruteforce attempt"; flow:established,to_client; content:"|00 00 00 23 FF|SMB|A2 34 00 00 C0|"; depth:13; fast_pattern; byte_test:1,&,128,0,relative; content:"|00 00 00|"; within:3; distance:23; detection_filter:track by_dst, count 100, seconds 1; reference:url,www.metasploit.com/modules/auxiliary/scanner/smb/pipe_auditor; classtype:attempted-recon; sid:26322; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Unknown Exploit Kit PDF Drop - sdfsdfsd"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:"sdfsdfsdxref"; distance:0; classtype:trojan-activity; sid:23249; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT ClamAV MEW PE file integer overflow attempt"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"PE"; content:"MEW"; content:!"|00|"; within:1; distance:48; reference:bugtraq,26927; reference:cve,2007-6335; classtype:attempted-user; sid:13362; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; reference:bugtraq,21220; reference:cve,2006-6114; reference:cve,2008-0639; classtype:protocol-command-decode; sid:2349; rev:13;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Unknown malicious PDF - CreationDate"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/CreationDate (D:20110405234628"; fast_pattern:only; classtype:trojan-activity; sid:23042; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY mwv file attachment detected"; flow:to_server,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename=|22|"; nocase; pcre:"/filename=\x22[^\x22]*\x2e(w[avm]x|as[fx]|wm[avx]?)\x22/i"; flowbits:set,file.WMMetafile; flowbits:noalert; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/dd562994%28v=vs.85%29.aspx; classtype:misc-activity; sid:23185; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY mwv file download request"; flow:to_server,established; pcre:"/\x2e(w[avm]x|as[fx]|wm[avx]?)([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.WMMetafile; flowbits:noalert; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/dd562994%28v=vs.85%29.aspx; classtype:misc-activity; sid:23183; rev:5;) # alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY mwv file attachment detected"; flow:to_client,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename=|22|"; nocase; pcre:"/filename=\x22[^\x22]*\x2e(w[avm]x|as[fx]|wm[avx]?)\x22/i"; flowbits:set,file.WMMetafile; flowbits:noalert; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/dd562994%28v=vs.85%29.aspx; classtype:misc-activity; sid:23184; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Possible malicious pdf cve-2010-0188 string"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"CVE-2010-0188"; reference:cve,2010-0188; reference:url,zeroq.kulando.de/post/2012/03/02/malicious-pdf-exploiting-cve-2010-0188; classtype:attempted-user; sid:21537; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Possible malicious pdf cve-2010-0188 string"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"CVE-2010-0188"; reference:cve,2010-0188; reference:url,zeroq.kulando.de/post/2012/03/02/malicious-pdf-exploiting-cve-2010-0188; classtype:attempted-user; sid:23519; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED POLICY-OTHER HP Universal CMDB server axis2 default credentials attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/axis2/axis2-admin/login"; fast_pattern:only; http_uri; content:"username=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19157; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Microsoft Windows PIF shortcut file download request"; flow:to_server,established; content:".pif"; fast_pattern:only; http_uri; pcre:"/\x2epif([\?\x5c\x2f]|$)/smiU"; reference:cve,2010-2568; reference:url,en.wikipedia.org/wiki/Program_Information_File; reference:url,technet.microsoft.com/en-us/security/advisory/2286198; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:misc-activity; sid:17043; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Windows Media Metafile file download request"; flow:to_server,established; content:".wma"; nocase; http_uri; pcre:"/\x2ewma([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.asx; flowbits:noalert; classtype:misc-activity; sid:23187; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Apple Mach-O executable file magic detected"; flow:to_client,established; file_data; content:"|CA FE BA BE|"; depth:4; byte_test:4, <, 20, 0, relative; reference:url,developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html; classtype:misc-activity; sid:18983; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Apple Mach-O executable file magic detected"; flow:to_server,established; file_data; content:"|CA FE BA BE|"; depth:4; byte_test:4, <, 20, 0, relative; reference:url,developer.apple.com/library/mac/#documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html; classtype:misc-activity; sid:23719; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DELETED DNS Multiple vendor DNS message decompression denial of service attempt"; content:"|C0 0C|"; depth:2; offset:12; reference:bugtraq,13729; reference:cve,2005-0036; classtype:attempted-dos; sid:15991; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED INDICATOR-OBFUSCATION Malvertising redirection attempt - script"; flow:to_client,established; file_data; content:"|7B|document.write|28 27 3C|scr|27 2B 27|ipt|20|type"; fast_pattern:only; reference:url,labs.sucuri.net/?details=smuss.net; classtype:trojan-activity; sid:23970; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OTHER OpenType Font file parsing denial of service attempt"; flow:to_client,established; flowbits:isset,file.otf; file_data; content:"|4F 53 2F 32 55 97 5B 6C 00 00 01 20 00 00 00 60|"; content:"|68 65 61 64 EF 99 CF 00 FF 00 FF FF 00 FF 00 36|"; within:16; distance:16; content:"|68 6D 74 78 01 F4 00 00 00 00 05 A4 00 00 00 08|"; within:16; distance:16; reference:cve,2010-2741; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-078; classtype:denial-of-service; sid:17752; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED PUA-TOOLBARS Trackware iggsey toolbar detection - pass information to server"; flow:to_server,established; content:"/iis2ebs.asp"; nocase; content:"User-Agent|3A| EI"; nocase; http_header; content:"RequestString="; nocase; content:"GENERAL_PARAM1"; distance:0; nocase; content:"GENERAL_PARAM2"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5950; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - chmod"; flow:established,to_server; content:"act=chmod&"; fast_pattern:only; http_uri; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:18688; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - processes"; flow:established,to_server; content:"act=processes&"; fast_pattern:only; http_uri; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:18690; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - update"; flow:established,to_server; content:"act=update&"; fast_pattern:only; http_uri; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:18687; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - tools"; flow:established,to_server; content:"act=tools&"; fast_pattern:only; http_uri; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:18686; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - processes"; flow:established,to_server; content:"act=processes&"; fast_pattern:only; http_client_body; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22936; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - chmod"; flow:established,to_server; content:"act=chmod&"; fast_pattern:only; http_client_body; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22935; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - update"; flow:established,to_server; content:"act=update&"; fast_pattern:only; http_client_body; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:22934; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET [1234,32778,2049] (msg:"DELETED EXPLOIT Novell Netware XNFS.NLM Stat notify heap buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 B8|"; depth:12; offset:4; byte_jump:4,12,relative; byte_jump:4,4,relative; byte_test:4,>,255,0,relative; reference:bugtraq,50804; reference:cve,2011-4191; classtype:misc-attack; sid:23367; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"DELETED MISC SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv2; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8427; rev:18;) # alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"DELETED NETBIOS Microsoft LNK shortcut download attempt"; flow:to_client,established; content:"|20 20 EC 21 EA 3A 69 10 A2 DD 08 00 2B 30 30 9D|"; pcre:"/\x2E\x00?d\x00?l\x00?l\x00?/Ri"; reference:cve,2010-2568; reference:url,technet.microsoft.com/en-us/security/bulletin/ms10-046; classtype:attempted-user; sid:19291; rev:4;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX little endian attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB."; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14712; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX little endian andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"."; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14720; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response little endian attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14711; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14721; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"."; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14723; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:4; dce_stub_data; flowbits:set,dce.spoolss.4.call; flowbits:noalert; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14661; rev:17;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB."; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14709; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"."; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14717; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response unicode andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14722; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response little endian andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14719; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response unicode attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14714; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX unicode attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB."; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14716; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response unicode little endian andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,little,relative; byte_test:4,>,1024,1,little,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14718; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{24}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14713; rev:10;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX unicode andx attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"."; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14724; rev:12;) # alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"DELETED NETBIOS SMB spoolss EnumJobs response WriteAndX attempt"; flow:established,to_client; flowbits:isset,dce.spoolss.4.call; content:"|00|"; depth:1; content:"|FF|SMB."; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{28}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|02|"; within:1; distance:1; pcre:"/^.{21}/sR"; byte_jump:4,4,relative; byte_test:4,>,1024,1,relative; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14715; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Oracle Java Web Start arbitrary command execution attempt"; flow:to_client,established; content:"Content-type:"; nocase; http_header; pcre:"/Content-type\x3a\s*application\/(x-java-applet|x-java-jnlp-file)/iH"; file_data; content:"-XXaltjvm"; fast_pattern:only; content:"jnlp"; nocase; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; reference:cve,2012-0500; classtype:attempted-user; sid:16585; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY MOV file magic detected"; flow:to_client,established; file_data; content:"pdin"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; classtype:misc-activity; sid:20504; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY MOV file magic detected"; flow:to_server,established; file_data; content:"pdin"; depth:4; offset:4; flowbits:set,file.quicktime; flowbits:noalert; classtype:misc-activity; sid:23686; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-IIS Microsoft Windows IIS FastCGI heap overflow attempt"; flow:established, to_server; content:"X-14|3A 20|14|0D 0A|X-15|3A 20|15|0D 0A|"; fast_pattern; http_header; content:"X-16|3A 20|16|0D 0A|X-17|3A 20|17|0D 0A|"; http_header; reference:cve,2010-2730; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-065; classtype:attempted-admin; sid:17255; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT asp file upload"; flow:to_server,established; content:".asp"; nocase; flowbits:set,asp.upload; flowbits:noalert; classtype:protocol-command-decode; sid:15471; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2529; rev:14;) # alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"DELETED IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2530; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3489; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3487; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3488; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3490; rev:9;) # alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"DELETED IMAP TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3492; rev:9;) # alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"DELETED IMAP SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3491; rev:11;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"DELETED MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,64,9; flowbits:set,sslv2.client_hello.request; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13711; rev:9;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"DELETED MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,32,11; flowbits:set,sslv2.client_hello.request; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13712; rev:9;) # alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"DELETED MYSQL yaSSL TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:13710; rev:5;) # alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"DELETED MYSQL yaSSL SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:13709; rev:6;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"DELETED MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,32,13; flowbits:set,sslv2.client_hello.request; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13713; rev:9;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"DELETED MYSQL yaSSL SSL Hello Message Buffer Overflow attempt"; flow:to_server,established; content:"|16 03 01|"; content:"|01|"; content:"|03 01|"; within:2; distance:3; byte_jump:1,32,relative; byte_test:2,>,64,0,relative; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-admin; sid:13593; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:13;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3500; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3501; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3502; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3499; rev:8;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3503; rev:9;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3504; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:15;) # alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"DELETED SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2543; rev:17;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2544; rev:13;) # alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"DELETED SMTP SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3497; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3494; rev:10;) # alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"DELETED SMTP TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3498; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3495; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3496; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3493; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS"; pcre:"/^STARTTLS/smi"; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5690; rev:10;) # alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"DELETED SMTP SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5691; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5687; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5688; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5689; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5685; rev:10;) # alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"DELETED SMTP TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:5686; rev:10;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent via email"; flow:to_server,established; flowbits:isset,email.pdf; content:"KQklHMkRlY29kZ"; pcre:"/[A-Za-z0-9_\x2f][A-Za-z0-9_\x2f][BFJNRVZdhlptx159]KQklHMkRlY29kZ[QRSTUVWXYZabcdef][A-Za-z0-9_\x2f][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.jbig2decode; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15359; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent in email"; flow:to_server,established; flowbits:isset,email.pdf; content:"KYXZhU2NyaXB0"; pcre:"/[A-Za-z0-9_\x2f][A-Za-z0-9_\x2f][BFJNRVZdhlptx159]KYXZhU2NyaXB0/"; flowbits:set,email.pdf.javascript; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15360; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent from email"; flow:to_server,established; flowbits:isset,email.pdf; content:"pCSUcyRGVjb2Rl"; pcre:"/[A-Za-z0-9_\x2f][EUk0]pCSUcyRGVjb2Rl/"; flowbits:set,email.pdf.jbig2decode; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15494; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent with email"; flow:to_server,established; flowbits:isset,email.pdf; content:"SmF2YVNjcmlwd"; pcre:"/SmF2YVNjcmlwd[ABCDEFGHIJKLMNOP][A-Za-z0-9_\x2f][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.javascript; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15497; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent through email"; flow:to_server,established; flowbits:isset,email.pdf; content:"phdmFTY3Jpcc"; pcre:"/[A-Za-z0-9_\x2f][EUk0]phdmFTY3Jpcc[QRST][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.javascript; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15496; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Suspicious JBIG2 pdf file sent by email"; flow:to_server,established; flowbits:isset,email.pdf; content:"SkJJRzJEZWNvZZ"; pcre:"/SkJJRzJEZWNvZZ[UVWX][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.jbig2decode; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15495; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2520; rev:17;) # alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2521; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2658; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:11;) # alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2660; rev:12;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2661; rev:10;) # alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2662; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3059; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03 00|"; depth:3; offset:2; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:10996; rev:6;) # alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC SSLv2 Server_Hello request from SSLv3 Client_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; flowbits:isnotset,sslv3.server_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:11671; rev:7;) # alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC SSLv2 Server_Hello request from TLSv1 Client_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:11965; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3817 (msg:"DELETED EXPLOIT HP Data Protector stack buffer overflow attempt"; flow:to_server,established; content:"|51 84 00 00 02 02 02 32 06 00 00 00|"; byte_test:4,>,1920,0,relative,little; content:"|00 00 00 00|"; within:4; distance:100; pcre:"/^[\x10\x20\x30\x40\x50\x60]\x03/mR"; reference:bugtraq,52431; reference:cve,2012-0121; classtype:attempted-user; sid:24030; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Photo Creative ActiveX clsid access"; flow:established,to_client; file_data; content:"3EEEBC9A-580F-46EF-81D9-55510266413D"; fast_pattern:only; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3EEEBC9A-580F-46EF-81D9-55510266413D\s*}?\s*(?P=q1)(\s|>)/siO"; reference:bugtraq,45631; classtype:attempted-user; sid:19214; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Java Web Start ActiveX launch command by JavaScript CLSID"; flow:established,to_client; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; nocase; content:"createElement"; nocase; content:"Launch"; nocase; pcre:"/(?P[A-Z\d_]+)\s*=\s*document\.createElement\((?P\x22|\x27|)OBJECT(?P=q1)\).*?(?P=obj)\.classid\s*=\s*(?P\x22|\x27|)clsid\x3ACAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA(?P=q2).*?(?P=obj)\.launch\(/smi"; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16548; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Java Web Start ActiveX launch command by CLSID"; flow:established,to_client; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; nocase; content:"Launch"; nocase; pcre:"/]+classid\s*=\s*(?P\x22|\x27|)clsid\s*\x3A\s*{?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA\s*}?(?P=q1)/smi"; pcre:"/([A-Z\d_]+)\.Launch\(/smi"; reference:bugtraq,39346; reference:cve,2010-0886; reference:cve,2010-1423; classtype:attempted-user; sid:16547; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office TIFF filter remote code execution attempt"; flow:to_client,established; flowbits:isset,file.tiff; file_data; content:"|03 00 00 00 96 03 00 00 15 01 03 00 01 00 00 00 FF 00 00 00 16 01 04 00 01 00 00 00 13 00 00 00|"; fast_pattern:only; reference:cve,2010-3647; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-105; classtype:attempted-user; sid:19316; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|0F 00 04 F0 86 00 00 00 01 00 09 F0 10 00 00 00 B8 0B 00 00|"; fast_pattern:only; reference:bugtraq,38073; reference:cve,2010-0243; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; classtype:attempted-user; sid:19443; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 04 F0 28 00 00 00 02 00 0A F0 08 00 00 00 00 04 00 00 05 00 00 00 01 00 09 F0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 03 F0 0E 03 00 00 0F 00 04 F0 86 00|"; fast_pattern:only; reference:bugtraq,44656; reference:cve,2010-3334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:22036; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 04 F0 28 00 00 00 01 00 09 F0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 0A F0 08 00 00 00 00 04 00 00 05 00 00 00 0F 00 04 F0 D2 00 00 00 12 00 0A F0 08 00 00 00|"; fast_pattern:only; reference:bugtraq,38073; reference:bugtraq,44656; reference:cve,2010-0243; reference:cve,2010-3334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:22037; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|00 04 F0 28 00 00 00 02 00 0A F0 08 00 00 00 00 04 00 00 05 00 00 00 01 00 09 F0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 03 F0 32 01 00 00 0F 00 04 F0 86 00|"; fast_pattern:only; reference:bugtraq,44656; reference:cve,2010-3334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; classtype:attempted-user; sid:22035; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF EmbeddedFile contained within a PDF"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-"; content:"/EmbeddedFile"; distance:0; classtype:trojan-activity; sid:23250; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT Microsoft Windows MFC Document title updating buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; byte_test:2,>,128,26,relative; reference:bugtraq,41333; reference:cve,2010-3227; classtype:attempted-user; sid:19212; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealNetworks RealPlayer compressed skin overflow attempt"; flow:established,to_client; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; depth:4; byte_test:4,>,33412,22,relative,little; reference:bugtraq,11555; reference:cve,2004-1094; classtype:attempted-user; sid:21419; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel MSO.DLL malformed string parsing multi byte buffer over attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|00 00 00 00 00 00 1D 00 0F 00 03 00 00 00|"; content:"|00|"; within:1; distance:2; isdataat:6,relative; content:!"|00 00 00 00 00|"; within:5; distance:1; reference:bugtraq,17252; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7198; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Outlook EML file download request"; flow:to_server,established; content:".eml"; http_uri; pcre:"/\x2eeml([\?\x5c\x2f]|$)/smiU"; reference:nessus,10767; classtype:misc-activity; sid:1233; rev:18;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Microsoft Office Word file magic detected"; flow:to_client,established; file_data; content:"|32 BE 00 00|"; depth:4; flowbits:set,file.doc; flowbits:noalert; classtype:misc-activity; sid:20499; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Microsoft Office Word file magic detected"; flow:to_client,established; file_data; content:"|31 BE 00 00|"; depth:4; flowbits:set,file.doc; flowbits:noalert; classtype:misc-activity; sid:20498; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; flowbits:unset,starttls.attempt; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2528; rev:25;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY s3m file download attempt"; flow:to_server,established; content:"|2E|s3m"; nocase; http_uri; pcre:"/\x2Es3m([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.s3m; flowbits:noalert; classtype:misc-activity; sid:21106; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel label record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|02 04|"; byte_test:2,>,35071,2,relative,little; reference:bugtraq,28166; reference:cve,2006-1309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-037; classtype:attempted-user; sid:7199; rev:19;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over smtp"; flow:to_server,established; content:"dHJlYW0K"; fast_pattern:only; pcre:"/dHJlYW0K[A-Za-z0-9_\x2f][FVl1]dT/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19273; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over smtp"; flow:to_server,established; content:"cmVhbQ0K"; fast_pattern:only; pcre:"/cmVhbQ0K[A-Za-z0-9_\x2f][FVl1]dT/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19271; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"cmVhbQ0K"; fast_pattern:only; pcre:"/cmVhbQ0K[A-Za-z0-9_\x2f][FVl1]dT/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19277; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"cmVhbQ"; fast_pattern:only; pcre:"/cmVhbQ[opqr][A-Za-z0-9_\x2f]/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19280; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over smtp"; flow:to_server,established; content:"cmVhbQ"; fast_pattern:only; pcre:"/cmVhbQ[opqr][A-Za-z0-9_\x2f]/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19274; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"c3RyZWFtCi5X"; fast_pattern:only; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19278; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"c3RyZWFtDQ"; fast_pattern:only; pcre:"/c3RyZWFtDQ[opqr][A-Za-z0-9_\x2f]V1N8/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19275; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"dHJlYW0K"; fast_pattern:only; pcre:"/dHJlYW0K[A-Za-z0-9_\x2f][FVl1]dT/s"; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19279; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over smtp"; flow:to_server,established; content:"c3RyZWFtCi5X"; fast_pattern:only; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19272; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over smtp"; flow:to_server,established; content:"dHJlYW0NCi5X"; fast_pattern:only; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19270; rev:4;) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"DELETED FILE-PDF attempted download of a PDF with embedded Flash over pop3"; flow:to_client,established; content:"dHJlYW0NCi5X"; fast_pattern:only; reference:bugtraq,35759; reference:bugtraq,44503; reference:cve,2009-1862; reference:cve,2010-3654; reference:url,blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html; classtype:policy-violation; sid:19276; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Microsoft Windows EMF metafile file download request"; flow:to_server,established; content:".emf"; fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.emf; flowbits:noalert; classtype:misc-activity; sid:13678; rev:23;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel style handling overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|E0 00|"; byte_jump:2,0,relative,little; content:"|93 02|"; within:2; byte_test:2,>,733,4,relative,little; byte_test:1,!&,0x80,3,relative; reference:bugtraq,18872; reference:cve,2006-3431; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-059; classtype:attempted-user; sid:7024; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 497 (msg:"DELETED EXPLOIT EMC retrospect client crafted packet overflow attempt"; flow:to_server,established; content:"h"; depth:1; offset:1; byte_test:4,>,36,4; reference:bugtraq,17948; reference:cve,2006-2391; classtype:attempted-admin; sid:6508; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Microsoft Office Excel .xls attachment"; flow:to_server,established; content:"name="; nocase; content:".xls"; fast_pattern:only; pcre:"/name=\x22[^\x22]*\.xls/i"; flowbits:set,email.xls; flowbits:noalert; classtype:misc-activity; sid:18552; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Microsoft Office Excel .xlw attachment"; flow:to_server,established; content:"name="; nocase; content:".xlw"; fast_pattern:only; pcre:"/name=\x22[^\x22]*\.xlw/i"; flowbits:set,email.xls; flowbits:noalert; classtype:misc-activity; sid:18553; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Microsoft Office PowerPoint .ppt attachment"; flow:to_server,established; content:"name="; nocase; content:".ppt"; fast_pattern:only; pcre:"/name=\x22[^\x22]*\.ppt/i"; flowbits:set,email.ppt; flowbits:noalert; classtype:misc-activity; sid:18554; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Microsoft Office Word .doc attachment"; flow:to_server,established; content:"name="; nocase; content:".doc"; fast_pattern:only; pcre:"/name=\x22[^\x22]*\.doc/i"; flowbits:set,email.doc; flowbits:set,email.rtf; flowbits:noalert; classtype:misc-activity; sid:18551; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Rich text file .rtf attachment"; flow:to_server,established; content:"name="; nocase; content:".rtf"; fast_pattern:only; pcre:"/name=\x22[^\x22]*\.rtf/i"; flowbits:set,email.rtf; flowbits:noalert; classtype:misc-activity; sid:18701; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED FILE-IDENTIFY Cisco Webex Player file attachment detected"; flow:to_server,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; classtype:misc-activity; sid:21115; rev:3;) # alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Cisco Webex Player file attachment detected"; flow:to_client,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ewrf[\x22\x27\s]/si"; flowbits:set,file.wrf; flowbits:noalert; classtype:misc-activity; sid:21114; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iPIX Media Send Class ActiveX function call access"; flow:established,to_client; file_data; content:"iPIX.Rimfire4.1"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\)/smi"; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10473; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iPIX Image Well ActiveX function call access"; flow:established,to_client; file_data; content:"iPIX.ImageWell"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\)/smi"; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10469; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Internet Explorer JPEG heap overflow multipacket attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF C0|"; content:"|FF DA|"; distance:0; pcre:"/\xFF\xC0[^\xFF]{8}(([^\xFF])[^\xFF]{2})(([^\xFF])[^\xFF]{2})?(([^\xFF])[^\xFF]{2})?(([^\xFF])[^\xFF]{2})?\xFF.*\xFF\xDA[^\xFF]{2}[\x01-\x04](?(?=\2)[^\xFF]{2}(?(4)(?(?=\4)[^\xFF]{2}(?(6)(?(?=\6)[^\xFF]{2}(?(8)(?(?=\8)(?!))|(?!)))|(?!)))|(?!)))/s"; reference:bugtraq,14282; reference:bugtraq,14284; reference:cve,2005-1988; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-038; classtype:attempted-dos; sid:4136; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_server,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ewri[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; classtype:misc-activity; sid:20985; rev:4;) # alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected"; flow:to_client,established; content:"Content-Disposition: attachment|3B|"; fast_pattern:only; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ewri[\x22\x27\s]/si"; flowbits:set,file.doc; flowbits:noalert; classtype:misc-activity; sid:20984; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP Exchange MODPROPS denial of service attempt"; flow:to_server,established; content:"content-classescalendarmessage"; fast_pattern:only; pcre:"/^X-MICROSOFT-CDO-MODPROPS\x3A[^\n]*(?P\w+),[^\n]*(?=prop)/Bmi"; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-dos; sid:11222; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"DELETED WEB-MISC TLSv1 Client_Certificate handshake"; flow:established, to_server; ssl_version:tls1.0; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; flowbits:set,tlsv1.client_hello.certificate; flowbits:noalert; classtype:protocol-command-decode; sid:17748; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"DELETED WEB-MISC TLSv1 Client Change Cipher Spec message"; flow:established, to_server; ssl_version:tls1.0; content:"|14 03 01 00 01 01|"; depth:6; flowbits:set,tlsv1.client_change_cipher_spec; flowbits:noalert; classtype:protocol-command-decode; sid:18318; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BACKDOOR Trojan.TDSS.1.Gen install detection"; flow:to_server,established; content:"/tdss/"; nocase; http_uri; content:"Host|3A| yournewsblog.net"; nocase; http_header; reference:url,www.virustotal.com/file-scan/report.html?id=4203323a3e93c1f94dea1e239241fbf7a6a76353750d3fa5e33172cc7bfac3bd-1310704032; classtype:trojan-activity; sid:19844; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BACKDOOR Trojan.TDSS.1.Gen install detection"; flow:to_server,established; content:"/botmon/readdata/"; nocase; http_uri; content:"Host|3A| findzproportal1.com"; nocase; http_header; reference:url,www.virustotal.com/file-scan/report.html?id=4203323a3e93c1f94dea1e239241fbf7a6a76353750d3fa5e33172cc7bfac3bd-1310704032; classtype:trojan-activity; sid:19845; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY RIFF file magic detected"; flow:to_client,established; file_data; content:"RIFF"; depth:4; flowbits:set,file.avi; flowbits:set,file.wav; flowbits:noalert; classtype:misc-activity; sid:20470; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"DELETED EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; flow:to_server, established; content:"|03 00|"; depth:2; content:"|7F 65 82|"; content:"|04 01 01 04 01 01 01|"; distance:0; byte_jump:1,0,relative; content:"|30|"; within:1; byte_jump:1,2,relative; byte_test:1,<,6,-1,relative; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; classtype:attempted-admin; sid:21571; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"DELETED EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; flow:to_server, established; content:"|03 00|"; depth:2; content:"|7F 65 82|"; content:"|04 01 01 04 01 01 01|"; distance:0; byte_jump:1,0,relative; content:"|30|"; within:1; byte_jump:1,0,relative; content:"|30|"; within:24; byte_jump:1,0,relative; content:"|30|"; within:24; byte_jump:1,2,relative; byte_test:1,<,6,-1,relative; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; classtype:attempted-admin; sid:21572; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"DELETED EXPLOIT Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; flow:to_server, established; content:"|03 00|"; depth:2; content:"|7F 65 82|"; content:"|04 01 01 04 01 01 01|"; distance:0; byte_jump:1,0,relative; content:"|30|"; within:1; byte_jump:1,2,relative; byte_test:1,>,6,-1,relative; byte_jump:1,1,relative; byte_test:1,>,7,-1,relative; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; classtype:attempted-admin; sid:21592; rev:2;) # alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"DELETED BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; classtype:misc-activity; sid:145; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED EXPLOIT BEA WebLogic jsessionid buffer overflow attempt"; flow:to_server,established; content:"JSESSIONID="; nocase; isdataat:500,relative; pcre:"/^Cookie\x3a[^\n]*[\x3b\x3a]\s*JSESSIONID=[^\n\x3b=]{500}/smi"; reference:bugtraq,33177; reference:cve,2008-5457; classtype:attempted-admin; sid:15010; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2517; rev:25;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2531; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8440; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,25831; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8439; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8438; rev:16;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Java JAR file download attempt"; flow:to_server,established; content:".jar"; fast_pattern:only; nocase; http_uri; pcre:"/^[^\?]*\.jar([\?\x5c\x2f]|$)/Usi"; flowbits:set,http.jar; flowbits:noalert; classtype:misc-activity; sid:21388; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2518; rev:24;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2537; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8429; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8431; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,25831; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8430; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:3511; rev:23;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,25831; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8434; rev:16;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,25831; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8435; rev:16;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8432; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8433; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8437; rev:15;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; reference:bugtraq,20249; reference:bugtraq,22083; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8436; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Bitmap width integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171; reference:cve,2004-0904; reference:cve,2008-3015; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-052; classtype:attempted-admin; sid:3634; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established,no_stream; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2522; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC PROPPATCH Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPPATCH"; depth:9; nocase; isdataat:200,relative; pcre:"/^PROPPATCH\s+[^\s]{200}/smi"; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:21238; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC PROPFIND Webdav Stack Buffer Overflow attempt"; flow:to_server,established; content:"PROPFIND"; depth:8; nocase; isdataat:200,relative; pcre:"/^PROPFIND\s+[^\s]{200}/smi"; reference:bugtraq,37874; reference:cve,2010-0361; classtype:attempted-admin; sid:21237; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Apache server mod_proxy reverse proxy exposure attempt"; flow:to_server,established; content:"@"; http_uri; pcre:"/^\x40/smiU"; reference:cve,2011-3368; reference:url,seclists.org/fulldisclosure/2011/Oct/232; classtype:misc-activity; sid:20580; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP Micrsoft Office Outlook VEVENT non-TZID overflow attempt"; flow:to_server,established; content:"DTSTART|3B|"; nocase; content:!"value"; within:5; nocase; content:!"TZID"; within:4; nocase; pcre:"/^DTSTART\x3B/smi"; reference:bugtraq,21931; reference:cve,2007-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-003; classtype:attempted-user; sid:10012; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows 7 x86-64 Safari Browser iFrame DoS Attempt"; flow:to_client,established; file_data; content:""; distance:0; nocase; reference:url,secunia.com/advisories/47237/; classtype:attempted-dos; sid:20765; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY BIN file download request"; flow:to_server,established; content:".bin"; nocase; http_uri; pcre:"/\x2ebin([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bin; flowbits:set,file.doc; flowbits:set,file.xls; flowbits:set,file.pdf; flowbits:set,file.hlp; flowbits:noalert; classtype:misc-activity; sid:20070; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0"; flow:to_client,established; flowbits:isset,file.gif; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:3536; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT multipacket CBO CBL CBM file transfer attempt"; flow:to_client,established; flowbits:isset,bookmark_link_content_type; file_data; content:"Interactive Training]"; pcre:"/\[(Microsoft |Microsoft Press )?Interactive Training\]/"; reference:bugtraq,13944; reference:cve,2005-1212; reference:cve,2006-3448; reference:nessus,18492; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-031; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-005; classtype:attempted-user; sid:4195; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT multipacket CBO CBL CBM file transfer start"; flow:to_client,established; content:"text/plain"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)text\x2fplain/smiH"; flowbits:set,bookmark_link_content_type; flowbits:noalert; classtype:protocol-command-decode; sid:4194; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0"; flow:to_client,established; flowbits:isset,file.gif; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; reference:nessus,17605; classtype:attempted-user; sid:6503; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Microsoft Office Excel Workspace file download request"; flow:to_server,established; content:".xlw"; nocase; http_uri; pcre:"/\x2exlw([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xlw; flowbits:noalert; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:12285; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED FILE-IDENTIFY xspf file download attempt"; flow:to_server,established; content:"|2E|xspf"; http_uri; pcre:"/\x2Exspf(\?\x5C\x2F]|$)/smiU"; flowbits:set,file.xspf; flowbits:noalert; reference:url,www.exploit-db.com/exploits/10333/; classtype:misc-activity; sid:20672; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Sun Java class file request"; flow:to_server,established; content:".class"; nocase; http_uri; flowbits:set,http.class; flowbits:noalert; classtype:misc-activity; sid:20056; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT Microsoft Windows 2000 Kodak Imaging small offset malformed tiff"; flow:to_client,established; content:"II*|00|"; byte_jump:4,0,relative,little; content:"|02 01 03 00|"; distance:-8; byte_test:4,>,6,0,relative,little; reference:cve,2007-2217; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-055; classtype:attempted-user; sid:12633; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED DOS generic web server hashing collision attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; classtype:attempted-dos; sid:20823; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SHELLCODE Possible heap spray attempt"; flow:to_client, established; file_data; content:"this.mem = new Array|28 29|"; flowbits:set,http.spray; flowbits:noalert; classtype:shellcode-detect; sid:19267; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY MIME file type file download request"; flow:to_server,established; content:".mime"; fast_pattern:only; nocase; http_uri; pcre:"/\x2emime([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.mime; flowbits:noalert; reference:url,en.wikipedia.org/wiki/MIME; classtype:misc-activity; sid:20033; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"w|00|a|00|b|00|3|00|2|00|r|00|e|00|s|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:20541; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Microsoft Windows Address Book wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wab32res.dll"; nocase; http_uri; reference:cve,2011-2016; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-085; classtype:attempted-user; sid:20542; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt"; flow:to_client,established; content:""; nocase; content:""; distance:0; nocase; content:" $HOME_NET any (msg:"DELETED WEB-CLIENT bitmap transfer"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)image\x2fbmp/smi"; flowbits:set,file.bmp; flowbits:noalert; classtype:protocol-command-decode; sid:3633; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Rich Text Format file request"; flow:to_server,established; content:".rtf"; nocase; http_uri; flowbits:set,file.rtf; flowbits:noalert; classtype:misc-activity; sid:15123; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Apple Quicktime SMIL transfer request"; flow:established,to_server; content:".smi"; nocase; http_uri; pcre:"/\x2esmi(l)?\b/i"; flowbits:set,file.smil; flowbits:noalert; classtype:misc-activity; sid:18927; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; content:".smi"; nocase; http_uri; flowbits:set,file.realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:17;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT GIF transfer"; flow:to_client,established; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smiH"; flowbits:set,file.gif; flowbits:noalert; classtype:protocol-command-decode; sid:3535; rev:14;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT quicktime movie file transfer"; flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; flowbits:set,file.quicktime; flowbits:noalert; classtype:protocol-command-decode; sid:4678; rev:16;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Audio Interchange File Format file request"; flow:to_server,established; content:".aif"; nocase; http_uri; flowbits:set,file.aiff; flowbits:noalert; classtype:misc-activity; sid:15899; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Audio Interchange File Format download request"; flow:to_server,established; content:".aiff"; nocase; http_uri; flowbits:set,file.aiff; flowbits:noalert; classtype:misc-activity; sid:15898; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2497; rev:17;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED POLICY download of .bin file"; flow:established,to_server; content:".bin"; nocase; http_uri; pcre:"/\.bin(\x3F|$)/Ui"; classtype:misc-activity; sid:16629; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2502; rev:17;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2504; rev:16;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2541; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT VLC Media Player udp URI format string attempt - multipacket"; flow:to_client,established; flowbits:isset,file.m3u; content:"udp|3A|//"; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; reference:bugtraq,21852; reference:cve,2007-0017; reference:url,projects.info-pull.com/moab/MOAB-02-01-2007.html; classtype:attempted-user; sid:9846; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED DOS Digium Asterisk SIP sscanf denial of service attempt"; flow:to_server,established; content:"Content-Length"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; reference:bugtraq,36015; reference:cve,2009-2726; classtype:attempted-dos; sid:16211; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED DOS Digium Asterisk SIP sscanf denial of service attempt"; flow:to_server,established; content:"rtpmap"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; reference:bugtraq,36015; reference:cve,2009-2726; classtype:attempted-dos; sid:16212; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED DOS Digium Asterisk SIP sscanf denial of service attempt"; flow:to_server,established; content:"CSeq"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; reference:bugtraq,36015; reference:cve,2009-2726; classtype:attempted-dos; sid:16210; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED EXPLOIT Ethereal SIP UDP CSeq overflow attempt"; flow:to_server; content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16; pcre:"/^CSeq\x3A\s*[^\nA-Za-z]*[A-Za-z][^\n]{16,}/smi"; reference:bugtraq,13504; reference:cve,2005-1461; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:3677; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED EXPLOIT Ethereal SIP UDP CSeq overflow attempt"; flow:stateless; content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16; pcre:"/^CSeq\x3A\s*[^\nA-Za-z]*[A-Za-z][^\n]{16,}/smi"; reference:bugtraq,13504; reference:cve,2005-1461; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:3678; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Interlacer ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|C|00|B|00|1|00|F|00|E|00|3|00|-|00|B|00|0|00|5|00|E|00|-|00|4|00|F|00|0|00|E|00|-|00|8|00|1|00|8|00|F|00|-|00|C|00|8|00|3|00|E|00|D|00|5|00|A|00|0|00|3|00|3|00|2|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x00C\x00B\x001\x00F\x00E\x003\x00-\x00B\x000\x005\x00E\x00-\x004\x00F\x000\x00E\x00-\x008\x001\x008\x00F\x00-\x00C\x008\x003\x00E\x00D\x005\x00A\x000\x003\x003\x002\x00F\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7479; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|B|00|3|00|3|00|9|00|A|00|4|00|6|00|-|00|7|00|C|00|4|00|9|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|B|00|F|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|7|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00B\x003\x003\x009\x00A\x004\x006\x00-\x007\x00C\x004\x009\x00-\x001\x001\x00d\x002\x00-\x009\x00B\x00F\x003\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x007\x008\x009\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8754; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent Custom Proxy Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|B|00|A|00|C|00|1|00|2|00|4|00|B|00|-|00|7|00|8|00|C|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|A|00|8|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|7|00|5|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8851; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|4|00|7|00|7|00|1|00|6|00|9|00|-|00|4|00|7|00|5|00|2|00|-|00|4|00|1|00|D|00|C|00|-|00|A|00|B|00|0|00|F|00|-|00|C|00|5|00|0|00|E|00|B|00|A|00|7|00|5|00|6|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x004\x007\x007\x001\x006\x009\x00-\x004\x007\x005\x002\x00-\x004\x001\x00D\x00C\x00-\x00A\x00B\x000\x00F\x00-\x00C\x005\x000\x00E\x00B\x00A\x007\x005\x006\x004\x001\x00D\x00/si"; classtype:attempted-user; sid:7891; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8793; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent Character Custom Proxy Class ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|E|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8847; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|2|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x002\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; reference:url,browserfun.blogspot.com/2006/07/mobb-24-formslistbox1-listwidth.html; reference:url,osvdb.org/27372; classtype:attempted-user; sid:7957; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Business Object Factory ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|B|00|9|00|B|00|C|00|E|00|D|00|D|00|-|00|E|00|C|00|7|00|E|00|-|00|4|00|7|00|E|00|1|00|-|00|9|00|3|00|2|00|2|00|-|00|D|00|4|00|A|00|2|00|1|00|0|00|6|00|1|00|7|00|1|00|1|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00B\x009\x00B\x00C\x00E\x00D\x00D\x00-\x00E\x00C\x007\x00E\x00-\x004\x007\x00E\x001\x00-\x009\x003\x002\x002\x00-\x00D\x004\x00A\x002\x001\x000\x006\x001\x007\x001\x001\x006\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8364; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ADODB.Recordset ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|3|00|5|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x003\x005\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; reference:bugtraq,20704; reference:cve,2006-5559; classtype:attempted-user; sid:7869; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|0|00|B|00|4|00|7|00|9|00|1|00|F|00|-|00|4|00|7|00|3|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x000\x00B\x004\x007\x009\x001\x00F\x00-\x004\x007\x003\x001\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8745; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX QuickTime Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|2|00|B|00|F|00|2|00|5|00|D|00|5|00|-|00|8|00|C|00|1|00|7|00|-|00|4|00|B|00|2|00|3|00|-|00|B|00|C|00|8|00|0|00|-|00|D|00|3|00|4|00|8|00|8|00|A|00|B|00|D|00|D|00|C|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x002\x00B\x00F\x002\x005\x00D\x005\x00-\x008\x00C\x001\x007\x00-\x004\x00B\x002\x003\x00-\x00B\x00C\x008\x000\x00-\x00D\x003\x004\x008\x008\x00A\x00B\x00D\x00D\x00C\x006\x00B\x00/si"; classtype:attempted-user; sid:8376; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8781; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Panda ActiveScan PAVPZ.SOS.1 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|A|00|2|00|B|00|D|00|4|00|2|00|B|00|-|00|0|00|7|00|E|00|8|00|-|00|4|00|1|00|3|00|A|00|-|00|9|00|F|00|E|00|A|00|-|00|B|00|B|00|3|00|B|00|2|00|E|00|8|00|2|00|5|00|3|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x002\x00B\x00D\x004\x002\x00B\x00-\x000\x007\x00E\x008\x00-\x004\x001\x003\x00A\x00-\x009\x00F\x00E\x00A\x00-\x00B\x00B\x003\x00B\x002\x00E\x008\x002\x005\x003\x004\x000\x00(}\x00)?\5/si"; reference:bugtraq,21132; reference:cve,2006-5966; classtype:attempted-user; sid:9799; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|5|00|4|00|4|00|C|00|2|00|4|00|-|00|F|00|D|00|0|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|6|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|4|00|B|00|5|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x005\x004\x004\x00C\x002\x004\x00-\x00F\x00D\x000\x00B\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x006\x003\x00-\x000\x000\x00A\x00A\x000\x000\x004\x004\x00B\x005\x002\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7434; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|A|00|4|00|A|00|9|00|9|00|C|00|-|00|8|00|C|00|3|00|D|00|-|00|4|00|9|00|9|00|E|00|-|00|A|00|3|00|8|00|6|00|-|00|E|00|0|00|7|00|4|00|3|00|D|00|F|00|F|00|8|00|F|00|B|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00A\x004\x00A\x009\x009\x00C\x00-\x008\x00C\x003\x00D\x00-\x004\x009\x009\x00E\x00-\x00A\x003\x008\x006\x00-\x00E\x000\x007\x004\x003\x00D\x00F\x00F\x008\x00F\x00B\x007\x00/si"; classtype:attempted-user; sid:8736; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|A|00|8|00|A|00|9|00|7|00|8|00|0|00|-|00|2|00|8|00|0|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|2|00|4|00|D|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x008\x00A\x009\x007\x008\x000\x00-\x002\x008\x000\x00D\x00-\x001\x001\x00C\x00F\x00-\x00A\x002\x004\x00D\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x000\x000\x000\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,21155; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:9627; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX clbcatq.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|B|00|3|00|A|00|E|00|C|00|B|00|-|00|D|00|F|00|D|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|D|00|A|00|A|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|8|00|5|00|C|00|F|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00B\x003\x00A\x00E\x00C\x00B\x00-\x00D\x00F\x00D\x006\x00-\x001\x001\x00D\x001\x00-\x009\x00D\x00A\x00A\x00-\x000\x000\x008\x000\x005\x00F\x008\x005\x00C\x00F\x00E\x003\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7996; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX tsuserex.ADsTSUserEx.1 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|2|00|E|00|9|00|C|00|A|00|E|00|6|00|-|00|1|00|E|00|7|00|B|00|-|00|4|00|B|00|8|00|E|00|-|00|B|00|A|00|B|00|D|00|-|00|E|00|9|00|B|00|F|00|6|00|2|00|9|00|2|00|A|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x002\x00E\x009\x00C\x00A\x00E\x006\x00-\x001\x00E\x007\x00B\x00-\x004\x00B\x008\x00E\x00-\x00B\x00A\x00B\x00D\x00-\x00E\x009\x00B\x00F\x006\x002\x009\x002\x00A\x00C\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,19570; reference:cve,2006-4219; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14; classtype:attempted-user; sid:7503; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|4|00|7|00|8|00|F|00|6|00|4|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x004\x007\x008\x00F\x006\x004\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8038; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Outlook Data Object ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8722; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|F|00|9|00|D|00|1|00|0|00|-|00|3|00|B|00|5|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|3|00|E|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x005\x00D\x00F\x009\x00D\x001\x000\x00-\x003\x00B\x005\x002\x00-\x001\x001\x00D\x001\x00-\x008\x003\x00E\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00D\x00C\x008\x004\x009\x00/si"; reference:bugtraq,19030; reference:cve,2006-3730; reference:url,browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-057; classtype:attempted-user; sid:7986; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|1|00|0|00|8|00|7|00|2|00|7|00|0|00|-|00|D|00|3|00|4|00|8|00|-|00|4|00|3|00|2|00|C|00|-|00|8|00|9|00|9|00|E|00|-|00|2|00|D|00|2|00|F|00|3|00|8|00|F|00|F|00|2|00|9|00|A|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x001\x000\x008\x007\x002\x007\x000\x00-\x00D\x003\x004\x008\x00-\x004\x003\x002\x00C\x00-\x008\x009\x009\x00E\x00-\x002\x00D\x002\x00F\x003\x008\x00F\x00F\x002\x009\x00A\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7489; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8826; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|4|00|2|00|D|00|3|00|8|00|5|00|A|00|-|00|D|00|5|00|B|00|F|00|-|00|4|00|2|00|7|00|D|00|-|00|9|00|A|00|F|00|2|00|-|00|8|00|8|00|2|00|5|00|8|00|F|00|B|00|7|00|3|00|E|00|A|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x004\x002\x00D\x003\x008\x005\x00A\x00-\x00D\x005\x00B\x00F\x00-\x004\x002\x007\x00D\x00-\x009\x00A\x00F\x002\x00-\x008\x008\x002\x005\x008\x00F\x00B\x007\x003\x00E\x00A\x00F\x00/si"; classtype:attempted-user; sid:8400; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|4|00|5|00|B|00|0|00|B|00|0|00|-|00|7|00|2|00|D|00|8|00|-|00|4|00|6|00|5|00|2|00|-|00|A|00|E|00|5|00|F|00|-|00|5|00|E|00|3|00|E|00|2|00|6|00|6|00|B|00|E|00|7|00|E|00|D|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x004\x005\x00B\x000\x00B\x000\x00-\x007\x002\x00D\x008\x00-\x004\x006\x005\x002\x00-\x00A\x00E\x005\x00F\x00-\x005\x00E\x003\x00E\x002\x006\x006\x00B\x00E\x007\x00E\x00D\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7453; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX mk Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7959; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ADODB.Connection ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|1|00|4|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x001\x004\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00(}\x00)?\5/si"; reference:cve,2006-5559; reference:url,archives.neohapsis.com/archives/ntbugtraq/2004-q4/0083.html; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-009; classtype:attempted-user; sid:7867; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Stream Handler ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|1|00|A|00|4|00|1|00|E|00|1|00|1|00|-|00|9|00|1|00|D|00|B|00|-|00|4|00|4|00|6|00|1|00|-|00|9|00|5|00|C|00|D|00|-|00|0|00|C|00|0|00|2|00|3|00|2|00|7|00|F|00|D|00|9|00|3|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00A\x004\x001\x00E\x001\x001\x00-\x009\x001\x00D\x00B\x00-\x004\x004\x006\x001\x00-\x009\x005\x00C\x00D\x00-\x000\x00C\x000\x002\x003\x002\x007\x00F\x00D\x009\x003\x004\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8410; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|6|00|2|00|7|00|9|00|7|00|E|00|-|00|1|00|2|00|4|00|9|00|-|00|4|00|5|00|9|00|6|00|-|00|9|00|F|00|F|00|7|00|-|00|A|00|C|00|6|00|D|00|8|00|5|00|1|00|A|00|5|00|4|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x006\x002\x007\x009\x007\x00E\x00-\x001\x002\x004\x009\x00-\x004\x005\x009\x006\x00-\x009\x00F\x00F\x007\x00-\x00A\x00C\x006\x00D\x008\x005\x001\x00A\x005\x004\x002\x00A\x00/si"; classtype:attempted-user; sid:7887; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|5|00|B|00|7|00|F|00|6|00|3|00|-|00|F|00|0|00|6|00|F|00|-|00|4|00|3|00|3|00|1|00|-|00|8|00|A|00|2|00|6|00|-|00|3|00|3|00|9|00|E|00|0|00|3|00|C|00|0|00|A|00|E|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x005\x00B\x007\x00F\x006\x003\x00-\x00F\x000\x006\x00F\x00-\x004\x003\x003\x001\x00-\x008\x00A\x002\x006\x00-\x003\x003\x009\x00E\x000\x003\x00C\x000\x00A\x00E\x003\x00D\x00/si"; reference:cve,2006-4704; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-073; classtype:attempted-user; sid:8370; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8778; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CommunicationManager ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|D|00|C|00|C|00|4|00|8|00|7|00|-|00|A|00|A|00|4|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|F|00|4|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|1|00|1|00|C|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x00D\x00C\x00C\x004\x008\x007\x00-\x00A\x00A\x004\x008\x00-\x001\x001\x00D\x001\x00-\x008\x00F\x004\x00F\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x006\x001\x001\x00C\x007\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8002; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8817; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8808; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8838; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|7|00|B|00|6|00|C|00|0|00|4|00|A|00|-|00|C|00|B|00|B|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|B|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|4|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x007\x00B\x006\x00C\x000\x004\x00A\x00-\x00C\x00B\x00B\x005\x00-\x001\x001\x00D\x000\x00-\x00B\x00B\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x004\x001\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8022; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HTML Help ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|2|00|A|00|2|00|A|00|A|00|A|00|E|00|-|00|0|00|8|00|5|00|D|00|-|00|4|00|1|00|8|00|7|00|-|00|9|00|7|00|E|00|A|00|-|00|8|00|C|00|3|00|0|00|D|00|B|00|9|00|9|00|0|00|4|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x002\x00A\x002\x00A\x00A\x00A\x00E\x00-\x000\x008\x005\x00D\x00-\x004\x001\x008\x007\x00-\x009\x007\x00E\x00A\x00-\x008\x00C\x003\x000\x00D\x00B\x009\x009\x000\x004\x003\x006\x00(}\x00)?\5/si"; reference:cve,2006-3357; reference:cve,2007-0214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-008; classtype:attempted-user; sid:7440; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|E|00|C|00|F|00|5|00|D|00|2|00|E|00|-|00|7|00|A|00|1|00|8|00|-|00|4|00|D|00|D|00|2|00|-|00|B|00|D|00|C|00|D|00|-|00|2|00|9|00|B|00|6|00|F|00|6|00|1|00|5|00|B|00|4|00|4|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00E\x00C\x00F\x005\x00D\x002\x00E\x00-\x007\x00A\x001\x008\x00-\x004\x00D\x00D\x002\x00-\x00B\x00D\x00C\x00D\x00-\x002\x009\x00B\x006\x00F\x006\x001\x005\x00B\x004\x004\x008\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7469; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|4|00|C|00|7|00|9|00|5|00|9|00|1|00|-|00|D|00|0|00|D|00|E|00|-|00|4|00|9|00|C|00|4|00|-|00|B|00|A|00|3|00|C|00|-|00|A|00|4|00|5|00|A|00|B|00|7|00|0|00|0|00|3|00|3|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x004\x00C\x007\x009\x005\x009\x001\x00-\x00D\x000\x00D\x00E\x00-\x004\x009\x00C\x004\x00-\x00B\x00A\x003\x00C\x00-\x00A\x004\x005\x00A\x00B\x007\x000\x000\x003\x003\x005\x006\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7455; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|4|00|7|00|6|00|C|00|B|00|F|00|F|00|-|00|E|00|2|00|2|00|9|00|-|00|4|00|5|00|2|00|4|00|-|00|B|00|6|00|B|00|7|00|-|00|2|00|2|00|8|00|A|00|3|00|1|00|2|00|9|00|D|00|1|00|C|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x004\x007\x006\x00C\x00B\x00F\x00F\x00-\x00E\x002\x002\x009\x00-\x004\x005\x002\x004\x00-\x00B\x006\x00B\x007\x00-\x002\x002\x008\x00A\x003\x001\x002\x009\x00D\x001\x00C\x007\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7471; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|2|00|3|00|E|00|2|00|8|00|8|00|2|00|-|00|F|00|C|00|0|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|A|00|7|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|6|00|A|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x002\x003\x00E\x002\x008\x008\x002\x00-\x00F\x00C\x000\x00E\x00-\x001\x001\x00D\x001\x00-\x009\x00A\x007\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x006\x00A\x001\x000\x00/si"; reference:url,browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html; reference:url,osvdb.org/27109; classtype:attempted-user; sid:7941; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Download Handler ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|F|00|D|00|F|00|6|00|D|00|6|00|B|00|-|00|D|00|6|00|7|00|2|00|-|00|4|00|6|00|3|00|B|00|-|00|8|00|4|00|6|00|E|00|-|00|C|00|6|00|F|00|F|00|4|00|9|00|1|00|0|00|9|00|6|00|6|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x00D\x00F\x006\x00D\x006\x00B\x00-\x00D\x006\x007\x002\x00-\x004\x006\x003\x00B\x00-\x008\x004\x006\x00E\x00-\x00C\x006\x00F\x00F\x004\x009\x001\x000\x009\x006\x006\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8378; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Outlook Recipient Control ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|2|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x002\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?\5/si"; reference:bugtraq,21649; reference:cve,2006-6659; classtype:attempted-user; sid:9669; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX English_UK Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|F|00|7|00|6|00|7|00|0|00|-|00|7|00|F|00|1|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x009\x00F\x007\x006\x007\x000\x00-\x007\x00F\x001\x00A\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8010; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|1|00|8|00|8|00|F|00|7|00|A|00|3|00|-|00|A|00|0|00|4|00|E|00|-|00|4|00|1|00|3|00|E|00|-|00|9|00|9|00|D|00|1|00|-|00|D|00|7|00|9|00|A|00|4|00|5|00|F|00|7|00|0|00|3|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x001\x008\x008\x00F\x007\x00A\x003\x00-\x00A\x000\x004\x00E\x00-\x004\x001\x003\x00E\x00-\x009\x009\x00D\x001\x00-\x00D\x007\x009\x00A\x004\x005\x00F\x007\x000\x003\x000\x005\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7473; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|D|00|0|00|0|00|0|00|2|00|0|00|C|00|-|00|8|00|B|00|9|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|1|00|6|00|2|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00D\x000\x000\x000\x002\x000\x00C\x00-\x008\x00B\x009\x005\x00-\x001\x001\x00D\x001\x00-\x008\x002\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x001\x006\x002\x005\x00D\x00/si"; classtype:attempted-user; sid:7907; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|5|00|1|00|6|00|F|00|F|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x005\x001\x006\x00F\x00F\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8036; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Bitmap ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|3|00|E|00|5|00|0|00|B|00|D|00|-|00|A|00|9|00|D|00|7|00|-|00|4|00|7|00|2|00|1|00|-|00|B|00|0|00|E|00|1|00|-|00|0|00|0|00|C|00|B|00|4|00|2|00|A|00|0|00|A|00|7|00|4|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x003\x00E\x005\x000\x00B\x00D\x00-\x00A\x009\x00D\x007\x00-\x004\x007\x002\x001\x00-\x00B\x000\x00E\x001\x00-\x000\x000\x00C\x00B\x004\x002\x00A\x000\x00A\x007\x004\x007\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7430; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|2|00|7|00|C|00|D|00|B|00|6|00|E|00|-|00|A|00|E|00|6|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|6|00|B|00|8|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2007-6244; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2; reference:url,www.adobe.com/support/security/bulletins/apsb07-20.html; classtype:attempted-user; sid:7979; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|8|00|D|00|9|00|6|00|A|00|0|00|A|00|-|00|F|00|1|00|9|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|6|00|5|00|F|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,20915; reference:cve,2006-5745; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-071; classtype:attempted-user; sid:8406; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|E|00|E|00|4|00|2|00|2|00|9|00|3|00|-|00|C|00|3|00|1|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|6|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|A|00|0|00|6|00|E|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00E\x00E\x004\x002\x002\x009\x003\x00-\x00C\x003\x001\x005\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x006\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x00A\x000\x006\x00E\x001\x00F\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7998; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CDL Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|D|00|D|00|5|00|3|00|D|00|4|00|0|00|-|00|7|00|B|00|8|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|0|00|1|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|9|00|C|00|E|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q14)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7905; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DocFind Command ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|0|00|5|00|E|00|6|00|9|00|0|00|-|00|6|00|7|00|8|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|7|00|5|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|6|00|4|00|F|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x000\x005\x00E\x006\x009\x000\x00-\x006\x007\x008\x00D\x00-\x001\x001\x00D\x001\x00-\x00B\x007\x005\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x006\x004\x00F\x00E\x00/si"; classtype:attempted-user; sid:8412; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|4|00|4|00|F|00|4|00|8|00|0|00|6|00|-|00|E|00|8|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|6|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|3|00|0|00|8|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x004\x004\x00F\x004\x008\x000\x006\x00-\x00E\x008\x00A\x008\x00-\x001\x001\x00D\x002\x00-\x009\x006\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x003\x000\x008\x007\x001\x00/si"; classtype:attempted-user; sid:7988; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8790; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.PathControl ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|7|00|A|00|7|00|D|00|7|00|C|00|3|00|-|00|D|00|4|00|7|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x00A\x007\x00D\x007\x00C\x003\x00-\x00D\x004\x007\x00F\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x003\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/siO"; reference:bugtraq,19738; reference:cve,2006-4446; reference:cve,2006-4777; classtype:attempted-user; sid:8054; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Panda ActiveScan ActiveScan.1 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|A|00|2|00|B|00|D|00|4|00|2|00|B|00|-|00|0|00|7|00|E|00|8|00|-|00|4|00|1|00|3|00|A|00|-|00|9|00|F|00|E|00|A|00|-|00|B|00|B|00|3|00|B|00|2|00|E|00|8|00|2|00|5|00|3|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x002\x00B\x00D\x004\x002\x00B\x00-\x000\x007\x00E\x008\x00-\x004\x001\x003\x00A\x00-\x009\x00F\x00E\x00A\x00-\x00B\x00B\x003\x00B\x002\x00E\x008\x002\x005\x003\x004\x000\x00(}\x00)?\5/si"; reference:bugtraq,21132; reference:cve,2006-5966; classtype:attempted-user; sid:9796; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8796; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX javaprxy.dll ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|3|00|D|00|9|00|F|00|3|00|F|00|2|00|-|00|B|00|0|00|E|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|0|00|8|00|1|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|0|00|3|00|9|00|B|00|F|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x00D\x009\x00F\x003\x00F\x002\x00-\x00B\x000\x00E\x003\x00-\x001\x001\x00D\x002\x00-\x00B\x000\x008\x001\x00-\x000\x000\x006\x000\x000\x008\x000\x003\x009\x00B\x00F\x000\x00(}\x00)?\5/si"; reference:bugtraq,14087; reference:cve,2005-2087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-037; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17680; classtype:attempted-user; sid:9628; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Log Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|2|00|8|00|8|00|3|00|6|00|6|00|7|00|-|00|E|00|9|00|5|00|C|00|-|00|4|00|4|00|3|00|D|00|-|00|A|00|C|00|9|00|6|00|-|00|4|00|C|00|A|00|C|00|A|00|2|00|7|00|B|00|E|00|B|00|6|00|E|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x002\x008\x008\x003\x006\x006\x007\x00-\x00E\x009\x005\x00C\x00-\x004\x004\x003\x00D\x00-\x00A\x00C\x009\x006\x00-\x004\x00C\x00A\x00C\x00A\x002\x007\x00B\x00E\x00B\x006\x00E\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7481; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|9|00|A|00|D|00|9|00|0|00|E|00|F|00|-|00|1|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x009\x00A\x00D\x009\x000\x00E\x00F\x00-\x001\x00C\x002\x000\x00-\x001\x001\x00D\x001\x00-\x008\x008\x000\x001\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; classtype:attempted-user; sid:7953; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|3|00|1|00|D|00|1|00|1|00|-|00|6|00|F|00|D|00|2|00|-|00|4|00|6|00|5|00|9|00|-|00|A|00|D|00|7|00|5|00|-|00|1|00|5|00|5|00|F|00|A|00|1|00|4|00|3|00|F|00|4|00|2|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x003\x001\x00D\x001\x001\x00-\x006\x00F\x00D\x002\x00-\x004\x006\x005\x009\x00-\x00A\x00D\x007\x005\x00-\x001\x005\x005\x00F\x00A\x001\x004\x003\x00F\x004\x002\x00B\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7443; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x007\x00F\x005\x009\x002\x000\x000\x00-\x008\x007\x008\x003\x00-\x001\x001\x00D\x002\x00-\x008\x003\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x004\x005\x00A\x008\x001\x009\x00/si"; classtype:attempted-user; sid:8392; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|C|00|D|00|E|00|7|00|3|00|4|00|1|00|-|00|3|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|3|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00C\x00D\x00E\x007\x003\x004\x001\x00-\x003\x00C\x002\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x003\x000\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8802; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Frame Eater ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|C|00|6|00|8|00|9|00|5|00|5|00|E|00|-|00|F|00|9|00|6|00|5|00|-|00|4|00|2|00|4|00|9|00|-|00|8|00|E|00|1|00|8|00|-|00|F|00|0|00|9|00|7|00|7|00|B|00|1|00|D|00|2|00|8|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00C\x006\x008\x009\x005\x005\x00E\x00-\x00F\x009\x006\x005\x00-\x004\x002\x004\x009\x00-\x008\x00E\x001\x008\x00-\x00F\x000\x009\x007\x007\x00B\x001\x00D\x002\x008\x009\x009\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7438; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|2|00|9|00|0|00|B|00|D|00|5|00|-|00|4|00|8|00|A|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|4|00|3|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|C|00|3|00|F|00|B|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x002\x009\x000\x00B\x00D\x005\x00-\x004\x008\x00A\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x004\x003\x002\x00-\x000\x000\x006\x000\x000\x008\x00C\x003\x00F\x00B\x00F\x00C\x00/si"; reference:bugtraq,1754; reference:bugtraq,598; reference:cve,1999-0668; reference:cve,2000-1061; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB240308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-032; classtype:attempted-user; sid:8065; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|6|00|7|00|0|00|D|00|0|00|B|00|3|00|-|00|0|00|5|00|A|00|B|00|-|00|4|00|1|00|1|00|5|00|-|00|9|00|F|00|8|00|7|00|-|00|D|00|9|00|8|00|3|00|E|00|F|00|1|00|A|00|C|00|7|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x006\x007\x000\x00D\x000\x00B\x003\x00-\x000\x005\x00A\x00B\x00-\x004\x001\x001\x005\x00-\x009\x00F\x008\x007\x00-\x00D\x009\x008\x003\x00E\x00F\x001\x00A\x00C\x007\x004\x007\x00/si"; classtype:attempted-user; sid:7895; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|8|00|A|00|4|00|9|00|9|00|C|00|7|00|-|00|F|00|9|00|B|00|0|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|D|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|8|00|1|00|B|00|0|00|3|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x008\x00A\x004\x009\x009\x00C\x007\x00-\x00F\x009\x00B\x000\x00-\x001\x001\x00D\x002\x00-\x009\x003\x00D\x004\x00-\x000\x000\x00A\x000\x00C\x009\x008\x001\x00B\x000\x003\x005\x00/si"; classtype:attempted-user; sid:7883; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Switch Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|1|00|0|00|5|00|B|00|C|00|3|00|-|00|C|00|0|00|6|00|4|00|-|00|4|00|5|00|F|00|1|00|-|00|A|00|D|00|5|00|3|00|-|00|6|00|D|00|8|00|A|00|8|00|5|00|7|00|8|00|D|00|0|00|1|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x001\x000\x005\x00B\x00C\x003\x00-\x00C\x000\x006\x004\x00-\x004\x005\x00F\x001\x00-\x00A\x00D\x005\x003\x00-\x006\x00D\x008\x00A\x008\x005\x007\x008\x00D\x000\x001\x00B\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7491; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|D|00|3|00|6|00|C|00|E|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00D\x003\x006\x00C\x00E\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8024; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|1|00|7|00|5|00|0|00|6|00|C|00|3|00|-|00|6|00|B|00|2|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x001\x007\x005\x000\x006\x00C\x003\x00-\x006\x00B\x002\x006\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x004\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8844; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX German_German Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|1|00|0|00|A|00|4|00|9|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x001\x000\x00A\x004\x009\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8016; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|0|00|C|00|0|00|7|00|D|00|5|00|6|00|-|00|7|00|C|00|6|00|9|00|-|00|4|00|3|00|F|00|1|00|-|00|B|00|4|00|A|00|0|00|-|00|2|00|5|00|F|00|5|00|A|00|1|00|1|00|F|00|A|00|B|00|1|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x000\x00C\x000\x007\x00D\x005\x006\x00-\x007\x00C\x006\x009\x00-\x004\x003\x00F\x001\x00-\x00B\x004\x00A\x000\x00-\x002\x005\x00F\x005\x00A\x001\x001\x00F\x00A\x00B\x001\x009\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8368; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|F|00|1|00|5|00|8|00|E|00|1|00|-|00|C|00|B|00|0|00|4|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|E|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00F\x001\x005\x008\x00E\x001\x00-\x00C\x00B\x000\x004\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x00E\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8050; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|1|00|1|00|4|00|5|00|5|00|5|00|0|00|-|00|A|00|4|00|5|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|9|00|0|00|2|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|2|00|3|00|9|00|0|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x001\x001\x004\x005\x005\x005\x000\x00-\x00A\x004\x005\x004\x00-\x001\x001\x00D\x004\x00-\x009\x000\x002\x000\x00-\x000\x000\x00D\x000\x00B\x007\x002\x003\x009\x000\x008\x001\x00/si"; classtype:attempted-user; sid:7889; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ShotDetect ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|F|00|B|00|1|00|F|00|C|00|7|00|-|00|2|00|7|00|0|00|D|00|-|00|4|00|9|00|8|00|6|00|-|00|B|00|2|00|9|00|9|00|-|00|F|00|E|00|C|00|F|00|3|00|F|00|0|00|E|00|4|00|2|00|D|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00F\x00B\x001\x00F\x00C\x007\x00-\x002\x007\x000\x00D\x00-\x004\x009\x008\x006\x00-\x00B\x002\x009\x009\x00-\x00F\x00E\x00C\x00F\x003\x00F\x000\x00E\x004\x002\x00D\x00B\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7449; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|9|00|A|00|2|00|C|00|2|00|A|00|6|00|-|00|4|00|7|00|7|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|B|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x009\x00A\x002\x00C\x002\x00A\x006\x00-\x004\x007\x007\x008\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x00B\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7432; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|F|00|1|00|2|00|3|00|2|00|E|00|E|00|-|00|4|00|4|00|D|00|7|00|-|00|4|00|4|00|9|00|4|00|-|00|A|00|B|00|8|00|B|00|-|00|C|00|C|00|6|00|1|00|B|00|1|00|0|00|E|00|2|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x001\x002\x003\x002\x00E\x00E\x00-\x004\x004\x00D\x007\x00-\x004\x004\x009\x004\x00-\x00A\x00B\x008\x00B\x00-\x00C\x00C\x006\x001\x00B\x001\x000\x00E\x002\x001\x00A\x005\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7485; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|D|00|4|00|5|00|2|00|9|00|E|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|5|00|5|00|0|00|-|00|A|00|2|00|E|00|0|00|-|00|C|00|2|00|5|00|D|00|7|00|C|00|5|00|C|00|C|00|0|00|D|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00D\x004\x005\x002\x009\x00E\x00-\x008\x004\x00E\x000\x00-\x004\x005\x005\x000\x00-\x00A\x002\x00E\x000\x00-\x00C\x002\x005\x00D\x007\x00C\x005\x00C\x00C\x000\x00D\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7457; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX XML Schema Cache 6.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|8|00|D|00|9|00|6|00|A|00|0|00|7|00|-|00|F|00|1|00|9|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|6|00|5|00|F|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x008\x00D\x009\x006\x00A\x000\x007\x00-\x00F\x001\x009\x002\x00-\x001\x001\x00D\x004\x00-\x00A\x006\x005\x00F\x00-\x000\x000\x004\x000\x009\x006\x003\x002\x005\x001\x00E\x005\x00/si"; classtype:attempted-user; sid:8404; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Xml2Dex ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|C|00|6|00|2|00|8|00|E|00|E|00|-|00|9|00|6|00|2|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|D|00|0|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|4|00|1|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00C\x006\x002\x008\x00E\x00E\x00-\x009\x006\x002\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x00D\x000\x008\x00-\x000\x000\x00A\x000\x00C\x009\x004\x004\x001\x00E\x002\x000\x00/si"; classtype:attempted-user; sid:8380; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent v2.0 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|B|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8853; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|3|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x003\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; reference:cve,1999-0384; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-001; classtype:attempted-user; sid:7955; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|B|00|B|00|3|00|1|00|0|00|-|00|5|00|D|00|0|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|3|00|B|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00B\x00B\x003\x001\x000\x00-\x005\x00D\x000\x001\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x003\x00B\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8042; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8787; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|9|00|8|00|8|00|0|00|5|00|5|00|3|00|-|00|B|00|8|00|A|00|7|00|-|00|4|00|9|00|6|00|0|00|-|00|A|00|6|00|6|00|8|00|-|00|9|00|5|00|C|00|6|00|8|00|B|00|E|00|D|00|5|00|7|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x009\x008\x008\x000\x005\x005\x003\x00-\x00B\x008\x00A\x007\x00-\x004\x009\x006\x000\x00-\x00A\x006\x006\x008\x00-\x009\x005\x00C\x006\x008\x00B\x00E\x00D\x005\x007\x001\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:8739; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|C|00|A|00|B|00|B|00|0|00|B|00|F|00|-|00|7|00|F|00|1|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|7|00|8|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|7|00|E|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00C\x00A\x00B\x00B\x000\x00B\x00F\x00-\x007\x00F\x001\x009\x00-\x001\x001\x00D\x002\x00-\x009\x007\x008\x00E\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x007\x00E\x002\x00A\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8034; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FolderItem2 ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|E|00|F|00|1|00|0|00|F|00|A|00|2|00|-|00|3|00|5|00|5|00|E|00|-|00|4|00|E|00|0|00|6|00|-|00|9|00|3|00|8|00|1|00|-|00|9|00|B|00|2|00|4|00|D|00|7|00|F|00|7|00|C|00|C|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00E\x00F\x001\x000\x00F\x00A\x002\x00-\x003\x005\x005\x00E\x00-\x004\x00E\x000\x006\x00-\x009\x003\x008\x001\x00-\x009\x00B\x002\x004\x00D\x007\x00F\x007\x00C\x00C\x008\x008\x00/si"; reference:url,browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html; classtype:attempted-user; sid:7931; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX McSubMgr ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|b|00|e|00|8|00|d|00|7|00|b|00|2|00|-|00|3|00|2|00|9|00|c|00|-|00|4|00|4|00|2|00|a|00|-|00|a|00|4|00|a|00|c|00|-|00|a|00|b|00|a|00|9|00|d|00|7|00|5|00|7|00|2|00|6|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00b\x00e\x008\x00d\x007\x00b\x002\x00-\x003\x002\x009\x00c\x00-\x004\x004\x002\x00a\x00-\x00a\x004\x00a\x00c\x00-\x00a\x00b\x00a\x009\x00d\x007\x005\x007\x002\x006\x000\x002\x00/si"; reference:bugtraq,19265; reference:cve,2006-3961; classtype:attempted-user; sid:7865; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|7|00|4|00|C|00|A|00|7|00|0|00|F|00|-|00|2|00|2|00|3|00|6|00|-|00|4|00|B|00|A|00|8|00|-|00|A|00|2|00|9|00|7|00|-|00|4|00|B|00|2|00|A|00|2|00|8|00|C|00|2|00|3|00|6|00|3|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x004\x00C\x00A\x007\x000\x00F\x00-\x002\x002\x003\x006\x00-\x004\x00B\x00A\x008\x00-\x00A\x002\x009\x007\x00-\x004\x00B\x002\x00A\x002\x008\x00C\x002\x003\x006\x003\x00C\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7459; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent v1.5 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|5|00|B|00|E|00|8|00|B|00|D|00|2|00|-|00|7|00|D|00|E|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|1|00|F|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|1|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2005-1214; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8855; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|F|00|2|00|4|00|1|00|D|00|B|00|1|00|-|00|E|00|E|00|9|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|2|00|4|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|C|00|9|00|9|00|E|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x002\x004\x001\x00D\x00B\x001\x00-\x00E\x00E\x009\x00F\x00-\x001\x001\x00D\x000\x00-\x009\x008\x002\x004\x00-\x000\x000\x006\x000\x009\x007\x00C\x009\x009\x00E\x005\x001\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8763; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HTML Help ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|B|00|2|00|3|00|C|00|2|00|8|00|-|00|4|00|8|00|8|00|E|00|-|00|4|00|e|00|5|00|C|00|-|00|A|00|C|00|E|00|2|00|-|00|B|00|B|00|0|00|B|00|B|00|A|00|B|00|E|00|9|00|9|00|E|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00B\x002\x003\x00C\x002\x008\x00-\x004\x008\x008\x00E\x00-\x004\x00e\x005\x00C\x00-\x00A\x00C\x00E\x002\x00-\x00B\x00B\x000\x00B\x00B\x00A\x00B\x00E\x009\x009\x00E\x008\x00/si"; reference:bugtraq,13953; reference:cve,2005-1208; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-026; classtype:attempted-user; sid:7441; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WDM Instance Provider ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|D|00|5|00|8|00|8|00|B|00|5|00|-|00|D|00|0|00|8|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|9|00|E|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|8|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x00D\x005\x008\x008\x00B\x005\x00-\x00D\x000\x008\x001\x00-\x001\x001\x00D\x000\x00-\x009\x009\x00E\x000\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x008\x00E\x00C\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8052; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|0|00|0|00|2|00|B|00|1|00|7|00|-|00|5|00|D|00|9|00|3|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|1|00|E|00|4|00|-|00|8|00|3|00|1|00|F|00|E|00|F|00|7|00|8|00|0|00|A|00|5|00|3|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x000\x000\x002\x00B\x001\x007\x00-\x005\x00D\x009\x003\x00-\x004\x005\x005\x001\x00-\x008\x001\x00E\x004\x00-\x008\x003\x001\x00F\x00E\x00F\x007\x008\x000\x00A\x005\x003\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7483; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|C|00|C|00|C|00|D|00|D|00|F|00|-|00|C|00|A|00|2|00|8|00|-|00|4|00|9|00|6|00|b|00|-|00|B|00|0|00|5|00|0|00|-|00|6|00|C|00|0|00|7|00|C|00|9|00|6|00|2|00|4|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x00C\x00C\x00D\x00D\x00F\x00-\x00C\x00A\x002\x008\x00-\x004\x009\x006\x00b\x00-\x00B\x000\x005\x000\x00-\x006\x00C\x000\x007\x00C\x009\x006\x002\x004\x007\x006\x00B\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8718; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|D|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:8849; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|1|00|E|00|0|00|4|00|5|00|8|00|1|00|-|00|4|00|E|00|E|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|F|00|E|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|B|00|4|00|3|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x00E\x000\x004\x005\x008\x001\x00-\x004\x00E\x00E\x00E\x00-\x001\x001\x00D\x000\x00-\x00B\x00F\x00E\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x00B\x004\x003\x008\x003\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8020; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8829; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|B|00|E|00|B|00|8|00|A|00|0|00|5|00|-|00|B|00|E|00|E|00|E|00|-|00|4|00|4|00|4|00|2|00|-|00|8|00|0|00|4|00|E|00|-|00|4|00|0|00|9|00|D|00|6|00|C|00|4|00|5|00|1|00|5|00|E|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00B\x00E\x00B\x008\x00A\x000\x005\x00-\x00B\x00E\x00E\x00E\x00-\x004\x004\x004\x002\x00-\x008\x000\x004\x00E\x00-\x004\x000\x009\x00D\x006\x00C\x004\x005\x001\x005\x00E\x009\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7977; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ICM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|0|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x000\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8018; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8832; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXTFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|8|00|5|00|A|00|9|00|1|00|B|00|C|00|-|00|1|00|E|00|8|00|A|00|-|00|4|00|E|00|4|00|A|00|-|00|A|00|7|00|A|00|6|00|-|00|F|00|4|00|F|00|C|00|1|00|E|00|6|00|C|00|A|00|1|00|B|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x008\x005\x00A\x009\x001\x00B\x00C\x00-\x001\x00E\x008\x00A\x00-\x004\x00E\x004\x00A\x00-\x00A\x007\x00A\x006\x00-\x00F\x004\x00F\x00C\x001\x00E\x006\x00C\x00A\x001\x00B\x00D\x00/si"; classtype:attempted-user; sid:7927; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8748; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8814; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Data Source Control 9.0 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,28136; reference:cve,2007-1201; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; reference:url,www.microsoft.com/technet/prodtechnol/office/office2000/proddocs/opg/part4/ch18.mspx; classtype:attempted-user; sid:7871; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|1|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x001\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:7873; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|7|00|9|00|E|00|1|00|3|00|2|00|F|00|-|00|5|00|6|00|1|00|B|00|-|00|4|00|2|00|F|00|8|00|-|00|8|00|4|00|6|00|C|00|-|00|A|00|7|00|0|00|D|00|B|00|D|00|C|00|6|00|2|00|9|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x009\x00E\x001\x003\x002\x00F\x00-\x005\x006\x001\x00B\x00-\x004\x002\x00F\x008\x00-\x008\x004\x006\x00C\x00-\x00A\x007\x000\x00D\x00B\x00D\x00C\x006\x002\x009\x009\x009\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7487; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|8|00|6|00|8|00|3|00|0|00|4|00|-|00|A|00|B|00|0|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|6|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x008\x006\x008\x003\x000\x004\x00-\x00A\x00B\x000\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x007\x006\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8775; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|6|00|6|00|D|00|6|00|6|00|F|00|A|00|-|00|9|00|6|00|1|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|4|00|2|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|A|00|E|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x006\x006\x00D\x006\x006\x00F\x00A\x00-\x009\x006\x001\x006\x00-\x001\x001\x00D\x002\x00-\x009\x003\x004\x002\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x00A\x00E\x001\x007\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8032; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|D|00|C|00|6|00|C|00|B|00|8|00|6|00|-|00|4|00|2|00|4|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00D\x00C\x006\x00C\x00B\x008\x006\x00-\x004\x002\x004\x00C\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7911; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|A|00|0|00|1|00|8|00|5|00|9|00|9|00|-|00|1|00|D|00|B|00|3|00|-|00|4|00|4|00|f|00|9|00|-|00|8|00|3|00|B|00|4|00|-|00|4|00|6|00|1|00|4|00|5|00|4|00|C|00|8|00|4|00|B|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00A\x000\x001\x008\x005\x009\x009\x00-\x001\x00D\x00B\x003\x00-\x004\x004\x00f\x009\x00-\x008\x003\x00B\x004\x00-\x004\x006\x001\x004\x005\x004\x00C\x008\x004\x00B\x00F\x008\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8720; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|0|00|5|00|0|00|F|00|3|00|9|00|1|00|-|00|9|00|8|00|B|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|B|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|C|00|E|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x000\x005\x000\x00F\x003\x009\x001\x00-\x009\x008\x00B\x005\x00-\x001\x001\x00C\x00F\x00-\x00B\x00B\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x00D\x00C\x00E\x000\x00B\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8026; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|2|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x002\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8048; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|6|00|0|00|D|00|2|00|8|00|D|00|0|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00D\x002\x008\x00D\x000\x00-\x008\x00B\x00F\x004\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8008; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX file or local Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|7|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7929; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|D|00|0|00|8|00|B|00|5|00|8|00|6|00|-|00|3|00|4|00|3|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|4|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|F|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00D\x000\x008\x00B\x005\x008\x006\x00-\x003\x004\x003\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x004\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00F\x00D\x00F\x00F\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8028; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|B|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/27111; classtype:attempted-user; sid:8724; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX 9x8Resize ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|C|00|0|00|D|00|6|00|9|00|A|00|8|00|-|00|0|00|9|00|2|00|3|00|-|00|4|00|E|00|E|00|E|00|-|00|9|00|3|00|7|00|5|00|-|00|9|00|2|00|3|00|9|00|F|00|5|00|A|00|3|00|8|00|B|00|9|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00C\x000\x00D\x006\x009\x00A\x008\x00-\x000\x009\x002\x003\x00-\x004\x00E\x00E\x00E\x00-\x009\x003\x007\x005\x00-\x009\x002\x003\x009\x00F\x005\x00A\x003\x008\x00B\x009\x002\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7426; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Snapshot Viewer General Property Page Object ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|2|00|1|00|7|00|5|00|2|00|1|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:7982; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|8|00|6|00|F|00|B|00|4|00|8|00|6|00|-|00|5|00|5|00|6|00|0|00|-|00|4|00|F|00|F|00|3|00|-|00|9|00|6|00|D|00|F|00|-|00|1|00|1|00|1|00|8|00|C|00|9|00|6|00|A|00|F|00|4|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x008\x006\x00F\x00B\x004\x008\x006\x00-\x005\x005\x006\x000\x00-\x004\x00F\x00F\x003\x00-\x009\x006\x00D\x00F\x00-\x001\x001\x001\x008\x00C\x009\x006\x00A\x00F\x004\x005\x006\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7501; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FolderItems3 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|3|00|C|00|7|00|4|00|8|00|2|00|6|00|-|00|A|00|B|00|9|00|9|00|-|00|4|00|D|00|3|00|3|00|-|00|A|00|C|00|A|00|4|00|-|00|3|00|1|00|1|00|7|00|F|00|5|00|1|00|D|00|3|00|7|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x003\x00C\x007\x004\x008\x002\x006\x00-\x00A\x00B\x009\x009\x00-\x004\x00D\x003\x003\x00-\x00A\x00C\x00A\x004\x00-\x003\x001\x001\x007\x00F\x005\x001\x00D\x003\x007\x008\x008\x00/si"; classtype:attempted-user; sid:7933; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; reference:cve,2002-0727; reference:cve,2002-0861; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:7875; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|D|00|A|00|2|00|A|00|A|00|3|00|E|00|-|00|3|00|D|00|9|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|2|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00D\x00A\x002\x00A\x00A\x003\x00E\x00-\x003\x00D\x009\x006\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x002\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7445; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|5|00|0|00|0|00|A|00|E|00|2|00|-|00|0|00|8|00|5|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|C|00|E|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|8|00|E|00|C|00|B|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x005\x000\x000\x00A\x00E\x002\x00-\x000\x008\x005\x008\x00-\x001\x001\x00D\x002\x00-\x008\x00C\x00E\x004\x00-\x000\x000\x00C\x000\x004\x00F\x008\x00E\x00C\x00B\x001\x000\x00/si"; classtype:attempted-user; sid:8396; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ADODB.Stream ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|6|00|6|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x006\x006\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; reference:bugtraq,10514; reference:cve,2004-0549; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB870669; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:8062; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ACM Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|1|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x001\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7992; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|6|00|F|00|F|00|C|00|2|00|4|00|C|00|-|00|7|00|E|00|1|00|3|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|4|00|7|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x006\x00F\x00F\x00C\x002\x004\x00C\x00-\x007\x00E\x001\x003\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x004\x007\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; classtype:attempted-user; sid:7951; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|B|00|4|00|3|00|9|00|E|00|-|00|F|00|C|00|F|00|4|00|-|00|4|00|0|00|D|00|4|00|-|00|9|00|0|00|D|00|A|00|-|00|F|00|7|00|9|00|B|00|A|00|A|00|3|00|B|00|0|00|6|00|5|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00A\x00B\x004\x003\x009\x00E\x00-\x00F\x00C\x00F\x004\x00-\x004\x000\x00D\x004\x00-\x009\x000\x00D\x00A\x00-\x00F\x007\x009\x00B\x00A\x00A\x003\x00B\x000\x006\x005\x005\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8000; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebDetectFrm ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|1|00|C|00|6|00|6|00|9|00|C|00|7|00|-|00|E|00|D|00|D|00|D|00|-|00|4|00|2|00|7|00|7|00|-|00|B|00|F|00|5|00|E|00|-|00|6|00|4|00|8|00|0|00|7|00|C|00|B|00|8|00|D|00|C|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x001\x00C\x006\x006\x009\x00C\x007\x00-\x00E\x00D\x00D\x00D\x00-\x004\x002\x007\x007\x00-\x00B\x00F\x005\x00E\x00-\x006\x004\x008\x000\x007\x00C\x00B\x008\x00D\x00C\x00E\x00F\x00/si"; classtype:attempted-user; sid:8394; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL Phobos Class ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|9|00|F|00|9|00|9|00|C|00|6|00|B|00|-|00|A|00|3|00|A|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|F|00|6|00|4|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|6|00|1|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x00F\x009\x009\x00C\x006\x00B\x00-\x00A\x003\x00A\x006\x00-\x001\x001\x00D\x004\x00-\x00A\x00F\x006\x004\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x006\x001\x007\x000\x00/si"; classtype:attempted-user; sid:7893; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|4|00|B|00|D|00|E|00|6|00|E|00|C|00|-|00|F|00|4|00|2|00|F|00|-|00|4|00|5|00|0|00|0|00|-|00|A|00|C|00|4|00|6|00|-|00|9|00|0|00|5|00|1|00|7|00|7|00|4|00|4|00|4|00|3|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x004\x00B\x00D\x00E\x006\x00E\x00C\x00-\x00F\x004\x002\x00F\x00-\x004\x005\x000\x000\x00-\x00A\x00C\x004\x006\x00-\x009\x000\x005\x001\x007\x007\x004\x004\x004\x003\x000\x000\x00(}\x00)?\5/siO"; reference:bugtraq,20930; reference:cve,2006-5650; classtype:attempted-user; sid:9815; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|D|00|4|00|3|00|F|00|E|00|0|00|1|00|-|00|F|00|0|00|9|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|4|00|2|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00/si"; reference:bugtraq,1754; reference:cve,2000-1061; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-075; classtype:attempted-user; sid:8070; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|8|00|A|00|B|00|E|00|1|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|4|00|1|00|C|00|1|00|-|00|A|00|B|00|A|00|3|00|-|00|0|00|5|00|1|00|B|00|6|00|F|00|1|00|1|00|2|00|B|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x008\x00A\x00B\x00E\x001\x002\x003\x00-\x00F\x00A\x00C\x004\x00-\x004\x001\x00C\x001\x00-\x00A\x00B\x00A\x003\x00-\x000\x005\x001\x00B\x006\x00F\x001\x001\x002\x00B\x008\x003\x00/si"; classtype:attempted-user; sid:7885; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX English_US Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|E|00|E|00|D|00|4|00|C|00|2|00|0|00|-|00|7|00|F|00|1|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00E\x00E\x00D\x004\x00C\x002\x000\x00-\x007\x00F\x001\x00B\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8012; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ftp Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|3|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7935; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|1|00|B|00|0|00|9|00|0|00|6|00|6|00|-|00|C|00|9|00|5|00|C|00|-|00|4|00|E|00|F|00|6|00|-|00|8|00|D|00|F|00|D|00|-|00|3|00|D|00|D|00|0|00|A|00|F|00|E|00|6|00|1|00|0|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x001\x00B\x000\x009\x000\x006\x006\x00-\x00C\x009\x005\x00C\x00-\x004\x00E\x00F\x006\x00-\x008\x00D\x00F\x00D\x00-\x003\x00D\x00D\x000\x00A\x00F\x00E\x006\x001\x000\x00B\x006\x00/si"; classtype:attempted-user; sid:7899; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|6|00|3|00|3|00|4|00|4|00|D|00|8|00|-|00|7|00|0|00|D|00|3|00|-|00|4|00|0|00|3|00|2|00|-|00|9|00|B|00|3|00|2|00|-|00|7|00|A|00|3|00|C|00|A|00|D|00|5|00|0|00|9|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x003\x003\x004\x004\x00D\x008\x00-\x007\x000\x00D\x003\x00-\x004\x000\x003\x002\x00-\x009\x00B\x003\x002\x00-\x007\x00A\x003\x00C\x00A\x00D\x005\x000\x009\x001\x00A\x005\x00/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6685; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|5|00|3|00|E|00|1|00|9|00|A|00|-|00|4|00|E|00|5|00|4|00|-|00|4|00|1|00|9|00|0|00|-|00|8|00|D|00|E|00|B|00|-|00|2|00|E|00|1|00|C|00|C|00|9|00|4|00|7|00|C|00|D|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x005\x003\x00E\x001\x009\x00A\x00-\x004\x00E\x005\x004\x00-\x004\x001\x009\x000\x00-\x008\x00D\x00E\x00B\x00-\x002\x00E\x001\x00C\x00C\x009\x004\x007\x00C\x00D\x006\x000\x00/si"; classtype:attempted-user; sid:7919; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8823; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX syncui.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|5|00|B|00|B|00|D|00|9|00|2|00|0|00|-|00|4|00|2|00|A|00|0|00|-|00|1|00|0|00|6|00|9|00|-|00|A|00|2|00|E|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|B|00|3|00|0|00|3|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00B\x00B\x00D\x009\x002\x000\x00-\x004\x002\x00A\x000\x00-\x001\x000\x006\x009\x00-\x00A\x002\x00E\x004\x00-\x000\x008\x000\x000\x002\x00B\x003\x000\x003\x000\x009\x00D\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8040; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|3|00|1|00|E|00|8|00|7|00|C|00|4|00|-|00|8|00|6|00|E|00|A|00|-|00|4|00|9|00|4|00|0|00|-|00|9|00|B|00|8|00|A|00|-|00|5|00|B|00|D|00|5|00|D|00|1|00|7|00|9|00|A|00|7|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x003\x001\x00E\x008\x007\x00C\x004\x00-\x008\x006\x00E\x00A\x00-\x004\x009\x004\x000\x00-\x009\x00B\x008\x00A\x00-\x005\x00B\x00D\x005\x00D\x001\x007\x009\x00A\x007\x003\x007\x00/si"; reference:url,browserfun.blogspot.com/2006/07/mobb-13-revealtrans-transition.html; reference:url,osvdb.org/27057; classtype:attempted-user; sid:7923; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX System Monitor ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|D|00|2|00|D|00|8|00|E|00|0|00|-|00|D|00|1|00|D|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|4|00|0|00|F|00|-|00|0|00|0|00|8|00|0|00|2|00|9|00|0|00|0|00|4|00|3|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x00D\x002\x00D\x008\x00E\x000\x00-\x00D\x001\x00D\x00D\x00-\x001\x001\x00C\x00E\x00-\x009\x004\x000\x00F\x00-\x000\x000\x008\x000\x002\x009\x000\x000\x004\x003\x004\x007\x00/si"; reference:bugtraq,1899; reference:cve,2000-1034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-085; classtype:attempted-user; sid:8726; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SuperBuddy Class ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|8|00|9|00|5|00|0|00|4|00|B|00|8|00|-|00|5|00|0|00|D|00|1|00|-|00|4|00|A|00|A|00|8|00|-|00|B|00|4|00|D|00|6|00|-|00|9|00|5|00|C|00|8|00|F|00|5|00|8|00|A|00|6|00|4|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x009\x005\x000\x004\x00B\x008\x00-\x005\x000\x00D\x001\x00-\x004\x00A\x00A\x008\x00-\x00B\x004\x00D\x006\x00-\x009\x005\x00C\x008\x00F\x005\x008\x00A\x006\x004\x001\x004\x00/si"; classtype:attempted-user; sid:7984; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|3|00|0|00|F|00|D|00|0|00|2|00|C|00|-|00|B|00|B|00|E|00|7|00|-|00|4|00|E|00|B|00|9|00|-|00|9|00|1|00|C|00|F|00|-|00|F|00|C|00|4|00|5|00|C|00|C|00|9|00|1|00|E|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x003\x000\x00F\x00D\x000\x002\x00C\x00-\x00B\x00B\x00E\x007\x00-\x004\x00E\x00B\x009\x00-\x009\x001\x00C\x00F\x00-\x00F\x00C\x004\x005\x00C\x00C\x009\x001\x00E\x003\x00E\x006\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7493; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|3|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x003\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8046; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|1|00|D|00|2|00|B|00|8|00|4|00|1|00|-|00|7|00|6|00|9|00|2|00|-|00|4|00|C|00|8|00|3|00|-|00|A|00|F|00|D|00|3|00|-|00|F|00|6|00|0|00|E|00|8|00|4|00|5|00|3|00|4|00|1|00|A|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00D\x002\x00B\x008\x004\x001\x00-\x007\x006\x009\x002\x00-\x004\x00C\x008\x003\x00-\x00A\x00F\x00D\x003\x00-\x00F\x006\x000\x00E\x008\x004\x005\x003\x004\x001\x00A\x00F\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7499; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Data Source Control 10.0 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,35800; reference:bugtraq,35990; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-0562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:7877; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|E|00|F|00|B|00|E|00|C|00|2|00|-|00|4|00|3|00|0|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x00E\x00F\x00B\x00E\x00C\x002\x00-\x004\x003\x000\x002\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; reference:cve,2006-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6518; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Record Queue ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|B|00|4|00|B|00|0|00|5|00|E|00|B|00|-|00|1|00|F|00|6|00|3|00|-|00|4|00|4|00|6|00|B|00|-|00|A|00|A|00|D|00|1|00|-|00|E|00|1|00|0|00|A|00|3|00|4|00|D|00|6|00|5|00|0|00|E|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00B\x004\x00B\x000\x005\x00E\x00B\x00-\x001\x00F\x006\x003\x00-\x004\x004\x006\x00B\x00-\x00A\x00A\x00D\x001\x00-\x00E\x001\x000\x00A\x003\x004\x00D\x006\x005\x000\x00E\x000\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7447; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VisualExec Control ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|9|00|E|00|A|00|8|00|5|00|2|00|7|00|-|00|6|00|A|00|6|00|A|00|-|00|4|00|0|00|F|00|E|00|-|00|A|00|6|00|7|00|C|00|-|00|8|00|2|00|C|00|F|00|7|00|6|00|3|00|9|00|0|00|2|00|D|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x009\x00E\x00A\x008\x005\x002\x007\x00-\x006\x00A\x006\x00A\x00-\x004\x000\x00F\x00E\x00-\x00A\x006\x007\x00C\x00-\x008\x002\x00C\x00F\x007\x006\x003\x009\x000\x002\x00D\x000\x00/si"; classtype:attempted-user; sid:8408; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|C|00|C|00|B|00|C|00|E|00|B|00|-|00|B|00|A|00|7|00|E|00|-|00|4|00|C|00|9|00|9|00|-|00|A|00|0|00|7|00|8|00|-|00|9|00|F|00|6|00|8|00|3|00|8|00|3|00|2|00|D|00|4|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00C\x00C\x00B\x00C\x00E\x00B\x00-\x00B\x00A\x007\x00E\x00-\x004\x00C\x009\x009\x00-\x00A\x000\x007\x008\x00-\x009\x00F\x006\x008\x003\x008\x003\x002\x00D\x004\x009\x003\x00(}\x00)?(?P=q25)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8390; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|9|00|3|00|5|00|D|00|C|00|2|00|2|00|-|00|1|00|C|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|B|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|5|00|8|00|A|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x003\x005\x00D\x00C\x002\x002\x00-\x001\x00C\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x00B\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x005\x008\x00A\x000\x00B\x00/si"; reference:bugtraq,1399; reference:bugtraq,1754; reference:bugtraq,598; reference:bugtraq,8456; reference:cve,1999-0668; reference:cve,2000-0597; reference:cve,2000-1061; reference:cve,2003-0532; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q240308; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-049; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-032; classtype:attempted-user; sid:8067; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX clbcatex.dll ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|8|00|4|00|6|00|F|00|0|00|A|00|0|00|-|00|D|00|3|00|6|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|8|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|2|00|3|00|1|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x004\x006\x00F\x000\x00A\x000\x00-\x00D\x003\x006\x007\x00-\x001\x001\x00D\x001\x00-\x008\x002\x008\x006\x00-\x000\x000\x00A\x000\x00C\x009\x002\x003\x001\x00C\x002\x009\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7994; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Allocator Fix ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|0|00|D|00|0|00|7|00|6|00|C|00|5|00|-|00|E|00|4|00|C|00|6|00|-|00|4|00|5|00|6|00|1|00|-|00|8|00|B|00|F|00|4|00|-|00|8|00|0|00|D|00|A|00|8|00|D|00|B|00|8|00|1|00|9|00|D|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x000\x00D\x000\x007\x006\x00C\x005\x00-\x00E\x004\x00C\x006\x00-\x004\x005\x006\x001\x00-\x008\x00B\x00F\x004\x00-\x008\x000\x00D\x00A\x008\x00D\x00B\x008\x001\x009\x00D\x007\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7428; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|F|00|5|00|4|00|2|00|A|00|2|00|E|00|-|00|E|00|D|00|C|00|9|00|-|00|4|00|B|00|F|00|7|00|-|00|8|00|C|00|B|00|1|00|-|00|8|00|7|00|C|00|9|00|9|00|1|00|9|00|F|00|7|00|F|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00F\x005\x004\x002\x00A\x002\x00E\x00-\x00E\x00D\x00C\x009\x00-\x004\x00B\x00F\x007\x00-\x008\x00C\x00B\x001\x00-\x008\x007\x00C\x009\x009\x001\x009\x00F\x007\x00F\x009\x003\x00(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8384; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer AutoStream.AutoStream.1 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|0|00|5|00|D|00|E|00|7|00|C|00|0|00|-|00|E|00|7|00|D|00|D|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|2|00|C|00|5|00|-|00|0|00|0|00|C|00|0|00|F|00|0|00|1|00|F|00|7|00|7|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x000\x005\x00D\x00E\x007\x00C\x000\x00-\x00E\x007\x00D\x00D\x00-\x001\x001\x00D\x002\x00-\x009\x002\x00C\x005\x00-\x000\x000\x00C\x000\x00F\x000\x001\x00F\x007\x007\x00C\x001\x00(}\x00)?\5/si"; reference:bugtraq,21802; reference:cve,2006-6847; classtype:attempted-user; sid:9672; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|6|00|7|00|3|00|D|00|C|00|F|00|2|00|-|00|C|00|3|00|1|00|6|00|-|00|4|00|C|00|6|00|F|00|-|00|A|00|A|00|9|00|6|00|-|00|4|00|E|00|4|00|D|00|C|00|6|00|D|00|C|00|2|00|9|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x006\x007\x003\x00D\x00C\x00F\x002\x00-\x00C\x003\x001\x006\x00-\x004\x00C\x006\x00F\x00-\x00A\x00A\x009\x006\x00-\x004\x00E\x004\x00D\x00C\x006\x00D\x00C\x002\x009\x001\x00E\x00/si"; reference:bugtraq,19340; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7915; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PostBootReminder object ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|8|00|4|00|9|00|5|00|9|00|6|00|A|00|-|00|4|00|8|00|E|00|A|00|-|00|4|00|8|00|6|00|E|00|-|00|8|00|9|00|3|00|7|00|-|00|A|00|2|00|A|00|3|00|0|00|0|00|9|00|F|00|3|00|1|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x008\x004\x009\x005\x009\x006\x00A\x00-\x004\x008\x00E\x00A\x00-\x004\x008\x006\x00E\x00-\x008\x009\x003\x007\x00-\x00A\x002\x00A\x003\x000\x000\x009\x00F\x003\x001\x00A\x009\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7971; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX French_French Stemmer ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|A|00|6|00|E|00|B|00|0|00|5|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00A\x006\x00E\x00B\x000\x005\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8014; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|0|00|C|00|B|00|0|00|8|00|C|00|E|00|-|00|A|00|B|00|3|00|D|00|-|00|4|00|7|00|7|00|9|00|-|00|9|00|C|00|7|00|7|00|-|00|6|00|2|00|A|00|4|00|3|00|9|00|B|00|F|00|E|00|6|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00C\x00B\x000\x008\x00C\x00E\x00-\x00A\x00B\x003\x00D\x00-\x004\x007\x007\x009\x00-\x009\x00C\x007\x007\x00-\x006\x002\x00A\x004\x003\x009\x00B\x00F\x00E\x006\x00C\x003\x00/si"; classtype:attempted-user; sid:7897; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|1|00|5|00|4|00|9|00|E|00|5|00|8|00|-|00|3|00|8|00|9|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|B|00|7|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|9|00|9|00|C|00|4|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x001\x005\x004\x009\x00E\x005\x008\x00-\x003\x008\x009\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00B\x007\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x009\x009\x00C\x004\x00C\x001\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8751; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|A|00|0|00|4|00|D|00|9|00|3|00|B|00|-|00|1|00|E|00|D|00|D|00|-|00|4|00|F|00|3|00|F|00|-|00|A|00|3|00|7|00|5|00|-|00|A|00|0|00|3|00|E|00|C|00|1|00|9|00|5|00|7|00|2|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00A\x000\x004\x00D\x009\x003\x00B\x00-\x001\x00E\x00D\x00D\x00-\x004\x00F\x003\x00F\x00-\x00A\x003\x007\x005\x00-\x00A\x000\x003\x00E\x00C\x001\x009\x005\x007\x002\x00C\x004\x00/si"; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7947; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8820; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|2|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x002\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8044; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID unicode access"; flow:established,to_client; content:"3|00|5|00|3|00|3|00|5|00|9|00|C|00|1|00|-|00|3|00|9|00|E|00|1|00|-|00|4|00|9|00|1|00|b|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|6|00|4|00|F|00|D|00|8|00|A|00|B|00|0|00|7|00|1|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x005\x003\x003\x005\x009\x00C\x001\x00-\x003\x009\x00E\x001\x00-\x004\x009\x001\x00b\x00-\x009\x009\x005\x001\x00-\x004\x006\x004\x00F\x00D\x008\x00A\x00B\x000\x007\x001\x00C\x00/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6683; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|4|00|E|00|8|00|3|00|3|00|B|00|-|00|2|00|C|00|C|00|6|00|-|00|4|00|2|00|D|00|9|00|-|00|A|00|E|00|3|00|9|00|-|00|9|00|0|00|B|00|6|00|A|00|3|00|8|00|A|00|4|00|F|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x002\x004\x00E\x008\x003\x003\x00B\x00-\x002\x00C\x00C\x006\x00-\x004\x002\x00D\x009\x00-\x00A\x00E\x003\x009\x00-\x009\x000\x00B\x006\x00A\x003\x008\x00A\x004\x00F\x00A\x002\x00(}\x00)?(?P=q35)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8382; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|7|00|1|00|B|00|4|00|0|00|6|00|3|00|-|00|3|00|E|00|5|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x007\x001\x00B\x004\x000\x006\x003\x00-\x003\x00E\x005\x009\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7925; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8799; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8769; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|F|00|8|00|E|00|6|00|4|00|2|00|1|00|-|00|3|00|D|00|9|00|B|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x008\x00E\x006\x004\x002\x001\x00-\x003\x00D\x009\x00B\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7937; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|8|00|5|00|3|00|C|00|D|00|9|00|-|00|7|00|F|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|2|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|5|00|A|00|B|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x008\x005\x003\x00C\x00D\x009\x00-\x007\x00F\x008\x006\x00-\x001\x001\x00D\x000\x00-\x008\x002\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x005\x00A\x00B\x004\x00/si"; classtype:attempted-user; sid:7917; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Volume ActiveX CLSID unicode access"; flow:established,to_client; content:"E|00|F|00|E|00|E|00|4|00|3|00|D|00|6|00|-|00|B|00|F|00|E|00|5|00|-|00|4|00|4|00|B|00|0|00|-|00|8|00|0|00|6|00|3|00|-|00|A|00|C|00|3|00|B|00|2|00|9|00|6|00|6|00|A|00|B|00|2|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x00E\x00E\x004\x003\x00D\x006\x00-\x00B\x00F\x00E\x005\x00-\x004\x004\x00B\x000\x00-\x008\x000\x006\x003\x00-\x00A\x00C\x003\x00B\x002\x009\x006\x006\x00A\x00B\x002\x00C\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7497; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|E|00|A|00|1|00|0|00|0|00|3|00|1|00|-|00|0|00|0|00|3|00|3|00|-|00|4|00|5|00|0|00|E|00|-|00|8|00|0|00|7|00|2|00|-|00|E|00|2|00|7|00|D|00|9|00|E|00|7|00|6|00|8|00|1|00|4|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00E\x00A\x001\x000\x000\x003\x001\x00-\x000\x000\x003\x003\x00-\x004\x005\x000\x00E\x00-\x008\x000\x007\x002\x00-\x00E\x002\x007\x00D\x009\x00E\x007\x006\x008\x001\x004\x002\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7463; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|3|00|F|00|9|00|9|00|8|00|B|00|2|00|-|00|0|00|E|00|0|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|A|00|4|00|9|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|E|00|B|00|5|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x003\x00F\x009\x009\x008\x00B\x002\x00-\x000\x00E\x000\x000\x00-\x001\x001\x00D\x003\x00-\x00A\x004\x009\x008\x00-\x000\x000\x001\x000\x004\x00B\x006\x00E\x00B\x005\x002\x00E\x00/si"; reference:url,vil.nai.com/vil/content/v_137262.htm; classtype:attempted-user; sid:7879; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT FormatConversion ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|D|00|2|00|0|00|D|00|4|00|B|00|B|00|-|00|B|00|4|00|7|00|E|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|3|00|B|00|D|00|-|00|E|00|3|00|C|00|2|00|E|00|E|00|2|00|5|00|0|00|D|00|2|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00D\x002\x000\x00D\x004\x00B\x00B\x00-\x00B\x004\x007\x00E\x00-\x004\x00F\x00B\x007\x00-\x008\x003\x00B\x00D\x00-\x00E\x003\x00C\x002\x00E\x00E\x002\x005\x000\x00D\x002\x006\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7475; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8772; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID unicode access"; flow:established,to_client; content:"8|00|2|00|4|00|1|00|F|00|0|00|1|00|5|00|-|00|8|00|4|00|D|00|3|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|7|00|E|00|6|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|3|00|F|00|F|00|7|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x002\x004\x001\x00F\x000\x001\x005\x00-\x008\x004\x00D\x003\x00-\x001\x001\x00d\x002\x00-\x009\x007\x00E\x006\x00-\x000\x000\x000\x000\x00F\x008\x000\x003\x00F\x00F\x007\x00A\x00/si"; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7913; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|1|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x001\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8835; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|E|00|F|00|E|00|2|00|4|00|5|00|2|00|-|00|1|00|6|00|8|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|C|00|7|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|9|00|4|00|5|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00E\x00F\x00E\x002\x004\x005\x002\x00-\x001\x006\x008\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x00C\x007\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x009\x004\x005\x003\x00B\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8030; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|B|00|0|00|0|00|7|00|2|00|5|00|B|00|-|00|C|00|4|00|5|00|5|00|-|00|4|00|D|00|E|00|6|00|-|00|B|00|F|00|B|00|6|00|-|00|A|00|D|00|5|00|4|00|0|00|A|00|D|00|4|00|2|00|7|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x000\x000\x007\x002\x005\x00B\x00-\x00C\x004\x005\x005\x00-\x004\x00D\x00E\x006\x00-\x00B\x00F\x00B\x006\x00-\x00A\x00D\x005\x004\x000\x00A\x00D\x004\x002\x007\x00C\x00D\x00/si"; classtype:attempted-user; sid:7881; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|D|00|A|00|8|00|9|00|A|00|-|00|0|00|9|00|6|00|6|00|-|00|4|00|B|00|9|00|1|00|-|00|9|00|C|00|1|00|8|00|-|00|A|00|B|00|6|00|9|00|F|00|0|00|9|00|8|00|1|00|8|00|7|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00E\x00D\x00A\x008\x009\x00A\x00-\x000\x009\x006\x006\x00-\x004\x00B\x009\x001\x00-\x009\x00C\x001\x008\x00-\x00A\x00B\x006\x009\x00F\x000\x009\x008\x001\x008\x007\x00F\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7467; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX YMMAPI.YMailAttach ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|A|00|2|00|1|00|8|00|3|00|2|00|8|00|-|00|0|00|E|00|A|00|8|00|-|00|4|00|D|00|7|00|0|00|-|00|8|00|9|00|7|00|2|00|-|00|E|00|9|00|8|00|7|00|A|00|9|00|1|00|9|00|0|00|F|00|F|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x002\x001\x008\x003\x002\x008\x00-\x000\x00E\x00A\x008\x00-\x004\x00D\x007\x000\x00-\x008\x009\x007\x002\x00-\x00E\x009\x008\x007\x00A\x009\x001\x009\x000\x00F\x00F\x004\x00(}\x00)?\5/si"; reference:bugtraq,21607; reference:cve,2006-6603; reference:url,messenger.yahoo.com/security_update.php?id=120806; classtype:attempted-user; sid:9794; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|1|00|5|00|1|00|6|00|C|00|1|00|-|00|3|00|C|00|F|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,24188; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:7909; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8841; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Rendezvous Class ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|1|00|0|00|2|00|9|00|E|00|5|00|B|00|-|00|C|00|B|00|5|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|5|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|1|00|A|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x001\x000\x002\x009\x00E\x005\x00B\x00-\x00C\x00B\x005\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x005\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x009\x001\x00A\x00C\x000\x00/si"; classtype:attempted-user; sid:7975; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"5|00|2|00|C|00|A|00|3|00|B|00|C|00|F|00|-|00|3|00|B|00|9|00|B|00|-|00|4|00|1|00|9|00|E|00|-|00|A|00|3|00|D|00|6|00|-|00|5|00|D|00|2|00|8|00|C|00|0|00|B|00|0|00|B|00|5|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x002\x00C\x00A\x003\x00B\x00C\x00F\x00-\x003\x00B\x009\x00B\x00-\x004\x001\x009\x00E\x00-\x00A\x003\x00D\x006\x00-\x005\x00D\x002\x008\x00C\x000\x00B\x000\x00B\x005\x000\x00C\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8004; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|4|00|D|00|C|00|8|00|D|00|D|00|9|00|-|00|2|00|C|00|C|00|1|00|-|00|4|00|0|00|8|00|1|00|-|00|9|00|B|00|2|00|B|00|-|00|2|00|0|00|D|00|7|00|0|00|3|00|0|00|2|00|3|00|4|00|E|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00D\x00C\x008\x00D\x00D\x009\x00-\x002\x00C\x00C\x001\x00-\x004\x000\x008\x001\x00-\x009\x00B\x002\x00B\x00-\x002\x000\x00D\x007\x000\x003\x000\x002\x003\x004\x00E\x00F\x00/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6680; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8811; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX http Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|2|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7943; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|6|00|7|00|2|00|3|00|E|00|0|00|9|00|-|00|F|00|4|00|C|00|2|00|-|00|4|00|3|00|c|00|8|00|-|00|8|00|3|00|5|00|8|00|-|00|0|00|9|00|F|00|C|00|D|00|1|00|D|00|B|00|0|00|7|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x007\x002\x003\x00E\x000\x009\x00-\x00F\x004\x00C\x002\x00-\x004\x003\x00c\x008\x00-\x008\x003\x005\x008\x00-\x000\x009\x00F\x00C\x00D\x001\x00D\x00B\x000\x007\x006\x006\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8374; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|5|00|B|00|0|00|F|00|9|00|1|00|C|00|-|00|D|00|2|00|3|00|D|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|8|00|5|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x005\x00B\x000\x00F\x009\x001\x00C\x00-\x00D\x002\x003\x00D\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x008\x005\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8742; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID unicode access"; flow:established,to_client; content:"A|00|F|00|6|00|0|00|4|00|E|00|F|00|E|00|-|00|8|00|8|00|9|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|4|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|1|00|2|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x006\x000\x004\x00E\x00F\x00E\x00-\x008\x008\x009\x007\x00-\x001\x001\x00D\x001\x00-\x00B\x009\x004\x004\x00-\x000\x000\x00A\x000\x00C\x009\x000\x003\x001\x002\x00E\x001\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7949; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Import Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"4|00|D|00|4|00|C|00|9|00|F|00|E|00|F|00|-|00|E|00|D|00|8|00|0|00|-|00|4|00|7|00|E|00|A|00|-|00|A|00|3|00|F|00|A|00|-|00|3|00|2|00|1|00|5|00|F|00|D|00|B|00|B|00|3|00|3|00|A|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00D\x004\x00C\x009\x00F\x00E\x00F\x00-\x00E\x00D\x008\x000\x00-\x004\x007\x00E\x00A\x00-\x00A\x003\x00F\x00A\x00-\x003\x002\x001\x005\x00F\x00D\x00B\x00B\x003\x003\x00A\x00B\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7477; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Acer LunchApp.APlunch ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|9|00|8|00|B|00|D|00|0|00|-|00|7|00|9|00|5|00|7|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|E|00|D|00|-|00|0|00|0|00|6|00|0|00|6|00|7|00|3|00|0|00|D|00|3|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,global.acer.com/support/patch20070101.htm; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,vuln.sg/acerlunchapp-en.html; classtype:attempted-user; sid:9428; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|1|00|7|00|9|00|5|00|3|00|3|00|-|00|D|00|8|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x001\x007\x009\x005\x003\x003\x00-\x00D\x008\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8757; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID unicode access"; flow:established,to_client; content:"B|00|0|00|A|00|6|00|B|00|A|00|E|00|2|00|-|00|A|00|A|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|1|00|5|00|2|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|D|00|B|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x00A\x006\x00B\x00A\x00E\x002\x00-\x00A\x00A\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x001\x005\x002\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x00D\x00B\x009\x006\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8760; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CDDBControlAOL.CDDBAOLControl ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|9|00|B|00|7|00|8|00|D|00|5|00|-|00|3|00|8|00|F|00|5|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|0|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|4|00|C|00|3|00|B|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:bugtraq,23567; reference:cve,2006-3134; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:7903; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|5|00|B|00|C|00|B|00|E|00|E|00|4|00|-|00|7|00|7|00|2|00|8|00|-|00|4|00|1|00|A|00|0|00|-|00|9|00|7|00|B|00|E|00|-|00|1|00|4|00|E|00|1|00|C|00|A|00|E|00|3|00|6|00|A|00|A|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x005\x00B\x00C\x00B\x00E\x00E\x004\x00-\x007\x007\x002\x008\x00-\x004\x001\x00A\x000\x00-\x009\x007\x00B\x00E\x00-\x001\x004\x00E\x001\x00C\x00A\x00E\x003\x006\x00A\x00A\x00E\x00/si"; classtype:attempted-user; sid:8398; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX XMLHTTP 4.0 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|8|00|d|00|9|00|6|00|9|00|c|00|5|00|-|00|f|00|1|00|9|00|2|00|-|00|1|00|1|00|d|00|4|00|-|00|a|00|6|00|5|00|f|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|e|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,20915; reference:cve,2006-5745; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-071; classtype:attempted-user; sid:8728; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID unicode access"; flow:established,to_client; content:"D|00|2|00|9|00|2|00|3|00|B|00|8|00|6|00|-|00|1|00|5|00|F|00|1|00|-|00|4|00|6|00|F|00|F|00|-|00|A|00|1|00|9|00|A|00|-|00|D|00|E|00|8|00|2|00|5|00|F|00|9|00|1|00|9|00|5|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x009\x002\x003\x00B\x008\x006\x00-\x001\x005\x00F\x001\x00-\x004\x006\x00F\x00F\x00-\x00A\x001\x009\x00A\x00-\x00D\x00E\x008\x002\x005\x00F\x009\x001\x009\x005\x007\x006\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:7990; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|B|00|5|00|E|00|0|00|5|00|0|00|3|00|-|00|D|00|E|00|2|00|8|00|-|00|4|00|B|00|E|00|8|00|-|00|9|00|1|00|9|00|C|00|-|00|7|00|6|00|E|00|0|00|E|00|8|00|9|00|4|00|A|00|3|00|C|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x005\x00E\x000\x005\x000\x003\x00-\x00D\x00E\x002\x008\x00-\x004\x00B\x00E\x008\x00-\x009\x001\x009\x00C\x00-\x007\x006\x00E\x000\x00E\x008\x009\x004\x00A\x003\x00C\x002\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8388; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID unicode access"; flow:established,to_client; content:"9|00|8|00|B|00|F|00|D|00|4|00|9|00|4|00|-|00|F|00|6|00|A|00|D|00|-|00|4|00|7|00|9|00|4|00|-|00|9|00|0|00|3|00|8|00|-|00|8|00|3|00|2|00|C|00|0|00|6|00|5|00|4|00|C|00|C|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x008\x00B\x00F\x00D\x004\x009\x004\x00-\x00F\x006\x00A\x00D\x00-\x004\x007\x009\x004\x00-\x009\x000\x003\x008\x00-\x008\x003\x002\x00C\x000\x006\x005\x004\x00C\x00C\x004\x003\x00/si"; classtype:attempted-user; sid:7901; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX https Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|5|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7945; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID unicode access"; flow:established,to_client; content:"6|00|3|00|9|00|F|00|7|00|2|00|5|00|F|00|-|00|1|00|B|00|2|00|D|00|-|00|4|00|8|00|3|00|1|00|-|00|A|00|9|00|F|00|D|00|-|00|8|00|7|00|4|00|8|00|4|00|7|00|6|00|8|00|2|00|0|00|1|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x009\x00F\x007\x002\x005\x00F\x00-\x001\x00B\x002\x00D\x00-\x004\x008\x003\x001\x00-\x00A\x009\x00F\x00D\x00-\x008\x007\x004\x008\x004\x007\x006\x008\x002\x000\x001\x000\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8366; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Virtual Source ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|4|00|C|00|6|00|5|00|C|00|7|00|-|00|F|00|D|00|F|00|1|00|-|00|4|00|5|00|3|00|D|00|-|00|8|00|9|00|A|00|5|00|-|00|B|00|C|00|C|00|2|00|8|00|F|00|5|00|D|00|6|00|9|00|F|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x004\x00C\x006\x005\x00C\x007\x00-\x00F\x00D\x00F\x001\x00-\x004\x005\x003\x00D\x00-\x008\x009\x00A\x005\x00-\x00B\x00C\x00C\x002\x008\x00F\x005\x00D\x006\x009\x00F\x009\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7495; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX gopher Asychronous Pluggable Protocol Handler ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|4|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:cve,2007-0218; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-033; classtype:attempted-user; sid:7939; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|D|00|7|00|8|00|D|00|5|00|5|00|4|00|-|00|4|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|7|00|0|00|D|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|9|00|1|00|6|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x007\x008\x00D\x005\x005\x004\x00-\x004\x00C\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x009\x007\x000\x00D\x00-\x000\x000\x00A\x000\x00C\x009\x001\x009\x001\x006\x000\x001\x00/si"; reference:bugtraq,14511; reference:cve,2005-1990; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-038; classtype:attempted-user; sid:8006; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID unicode access"; flow:established,to_client; content:"1|00|C|00|B|00|1|00|6|00|2|00|3|00|E|00|-|00|B|00|B|00|E|00|C|00|-|00|4|00|E|00|8|00|D|00|-|00|B|00|2|00|D|00|F|00|-|00|D|00|C|00|0|00|8|00|C|00|6|00|F|00|4|00|6|00|2|00|7|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00C\x00B\x001\x006\x002\x003\x00E\x00-\x00B\x00B\x00E\x00C\x00-\x004\x00E\x008\x00D\x00-\x00B\x002\x00D\x00F\x00-\x00D\x00C\x000\x008\x00C\x006\x00F\x004\x006\x002\x007\x00C\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7461; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8805; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|8|00|F|00|2|00|0|00|9|00|F|00|8|00|-|00|4|00|8|00|0|00|E|00|-|00|4|00|5|00|4|00|C|00|-|00|9|00|4|00|A|00|4|00|-|00|5|00|3|00|9|00|2|00|D|00|8|00|8|00|E|00|B|00|A|00|0|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x008\x00F\x002\x000\x009\x00F\x008\x00-\x004\x008\x000\x00E\x00-\x004\x005\x004\x00C\x00-\x009\x004\x00A\x004\x00-\x005\x003\x009\x002\x00D\x008\x008\x00E\x00B\x00A\x000\x00F\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7465; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Playback Handler ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|B|00|4|00|6|00|0|00|6|00|7|00|C|00|-|00|F|00|D|00|8|00|7|00|-|00|4|00|9|00|B|00|6|00|-|00|8|00|D|00|D|00|D|00|-|00|1|00|2|00|F|00|0|00|D|00|6|00|8|00|7|00|0|00|3|00|5|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x004\x006\x000\x006\x007\x00C\x00-\x00F\x00D\x008\x007\x00-\x004\x009\x00B\x006\x00-\x008\x00D\x00D\x00D\x00-\x001\x002\x00F\x000\x00D\x006\x008\x007\x000\x003\x005\x00F\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:8386; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|2|00|C|00|3|00|F|00|A|00|A|00|E|00|-|00|C|00|8|00|A|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|C|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|D|00|5|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x002\x00C\x003\x00F\x00A\x00A\x00E\x00-\x00C\x008\x00A\x00C\x00-\x001\x001\x00D\x000\x00-\x00B\x00C\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00D\x005\x00B\x006\x00/si"; classtype:attempted-user; sid:7921; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8784; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Citrix.ICAClient ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|3|00|8|00|F|00|6|00|F|00|8|00|3|00|-|00|B|00|8|00|B|00|4|00|-|00|1|00|1|00|c|00|f|00|-|00|8|00|7|00|7|00|1|00|-|00|0|00|0|00|A|00|0|00|2|00|4|00|5|00|4|00|1|00|E|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x008\x00F\x006\x00F\x008\x003\x00-\x00B\x008\x00B\x004\x00-\x001\x001\x00c\x00f\x00-\x008\x007\x007\x001\x00-\x000\x000\x00A\x000\x002\x004\x005\x004\x001\x00E\x00E\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23246; reference:cve,2006-6334; reference:url,support.citrix.com/article/CTX111827; classtype:attempted-user; sid:9630; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Stetch ActiveX CLSID unicode access"; flow:established,to_client; content:"F|00|4|00|4|00|B|00|B|00|2|00|D|00|0|00|-|00|F|00|0|00|7|00|0|00|-|00|4|00|6|00|3|00|E|00|-|00|9|00|4|00|3|00|3|00|-|00|B|00|0|00|C|00|C|00|F|00|3|00|C|00|F|00|D|00|6|00|2|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x004\x004\x00B\x00B\x002\x00D\x000\x00-\x00F\x000\x007\x000\x00-\x004\x006\x003\x00E\x00-\x009\x004\x003\x003\x00-\x00B\x000\x00C\x00C\x00F\x003\x00C\x00F\x00D\x006\x002\x007\x00/si"; reference:cve,2006-3638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-042; classtype:attempted-user; sid:7451; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID unicode access"; flow:established,to_client; content:"2|00|8|00|3|00|8|00|0|00|7|00|B|00|5|00|-|00|2|00|C|00|6|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|1|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x008\x003\x008\x000\x007\x00B\x005\x00-\x002\x00C\x006\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x001\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; reference:cve,2006-4446; reference:cve,2006-4777; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-067; classtype:attempted-user; sid:8766; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Outlook.Application ActiveX CLSID unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|A|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x00A\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; reference:url,metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm; classtype:attempted-user; sid:8372; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|6|00|0|00|C|00|4|00|B|00|8|00|3|00|-|00|E|00|2|00|1|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|F|00|3|00|E|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|B|00|E|00|8|00|4|00|A|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x006\x000\x00C\x004\x00B\x008\x003\x00-\x00E\x002\x001\x001\x00-\x001\x001\x00D\x002\x00-\x00B\x00F\x003\x00E\x00-\x000\x000\x008\x000\x005\x00F\x00B\x00E\x008\x004\x00A\x006\x00/si"; classtype:attempted-user; sid:8402; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media pixel aspect ratio header RCE attempt "; flow:to_client, established; flowbits:isset,file.asf; content:"T|E5 1E 1B EA F9 C8|K|82 1A|7kt|E4 C4 B8|"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15918; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media extended stream properties object RCE attempt "; flow:to_client,established; flowbits:isset,file.asf; content:"|CB A5 E6 14|r|C6|2C|83 99 A9|iR|06|[Zn"; byte_test:4,<,88,0,relative,little; content:"|00 00 00 00|"; within:4; distance:4; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:16338; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media Timecode header RCE attempt "; flow:to_client, established; flowbits:isset,file.asf; content:"|EC 95 95|9g|86|-N|8F DB 98 81|L|E7|l|1E|"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15915; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media sample duration header RCE attempt "; flow:to_client,established; flowbits:isset,file.asf; content:"P|94 BD C6 7F 86 07|I|83 A3 C7|y!|B7|3|AD|"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15914; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt "; flow:to_client, established; flowbits:isset,file.asf; content:"N|B8 98|f|FA 0A|0C|AE B2 1C 0A 98 D7 A4|M"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15919; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media file name header RCE attempt "; flow:to_client, established; flowbits:isset,file.asf; content:"|0E EC|e|E1 ED 19 D7|E|B4 A7|%|CB D1 E2 8E 9B|"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15916; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft Windows Media content type header RCE attempt "; flow:to_client, established; flowbits:isset,file.asf; content:" |DC 90 D5 BC 07|lC|9C F7 F3 BB FB F1 A4 DC|"; byte_test:4, >, 1500000000, 2, relative, little; reference:cve,2009-2498; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-047; classtype:attempted-user; sid:15917; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX function call unicode access"; flow:established,to_client; content:"I|00|E|00|R|00|P|00|C|00|t|00|l|00|.|00|I|00|E|00|R|00|P|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,21802; reference:bugtraq,22811; reference:bugtraq,26586; reference:cve,2006-6847; reference:cve,2007-5601; reference:cve,2008-3066; classtype:attempted-user; sid:12663; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Virtual Rooms ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|0|00|1|00|4|00|-|00|9|00|5|00|9|00|3|00|-|00|4|00|2|00|6|00|4|00|-|00|8|00|B|00|2|00|9|00|-|00|9|00|3|00|0|00|B|00|3|00|E|00|4|00|E|00|D|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q17)(?=\s\x00|>\x00)/si"; reference:bugtraq,27384; reference:cve,2008-0437; classtype:attempted-user; sid:13334; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aliplay ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|6|00|F|00|5|00|0|00|F|00|4|00|6|00|-|00|7|00|0|00|A|00|0|00|-|00|4|00|A|00|0|00|5|00|-|00|B|00|D|00|5|00|E|00|-|00|F|00|B|00|C|00|C|00|0|00|F|00|9|00|6|00|4|00|1|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x006\x00F\x005\x000\x00F\x004\x006\x00-\x007\x000\x00A\x000\x00-\x004\x00A\x000\x005\x00-\x00B\x00D\x005\x00E\x00-\x00F\x00B\x00C\x00C\x000\x00F\x009\x006\x004\x001\x00E\x00C\x00(}\x00)?\5/si"; reference:bugtraq,22446; reference:cve,2007-0827; classtype:attempted-user; sid:10129; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HardwareCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|H|00|a|00|r|00|d|00|w|00|a|00|r|00|e|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00H\x00a\x00r\x00d\x00w\x00a\x00r\x00e\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00H\x00a\x00r\x00d\x00w\x00a\x00r\x00e\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14363; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|9|00|B|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; reference:bugtraq,24075; reference:cve,2007-2851; reference:url,moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html; classtype:attempted-user; sid:11651; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX UUSee UUUpgrade ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|C|00|A|00|C|00|D|00|7|00|B|00|B|00|-|00|1|00|C|00|5|00|9|00|-|00|4|00|B|00|B|00|B|00|-|00|8|00|E|00|8|00|1|00|-|00|6|00|E|00|8|00|3|00|F|00|8|00|2|00|C|00|8|00|1|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,29963; reference:cve,2008-7168; classtype:attempted-user; sid:13884; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 4 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|d|00|d|00|f|00|6|00|4|00|4|00|a|00|-|00|0|00|e|00|1|00|a|00|-|00|4|00|5|00|4|00|3|00|-|00|9|00|5|00|9|00|5|00|-|00|4|00|b|00|9|00|1|00|7|00|7|00|0|00|7|00|a|00|9|00|a|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00d\x00d\x00f\x006\x004\x004\x00a\x00-\x000\x00e\x001\x00a\x00-\x004\x005\x004\x003\x00-\x009\x005\x009\x005\x00-\x004\x00b\x009\x001\x007\x007\x000\x007\x00a\x009\x00a\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14349; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX function call unicode access"; flow:established,to_client; content:"K|00|L|00|.|00|S|00|y|00|s|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)K\x00L\x00.\x00S\x00y\x00s\x00I\x00n\x00f\x00o\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)K\x00L\x00.\x00S\x00y\x00s\x00I\x00n\x00f\x00o\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23325; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; reference:url,www.kaspersky.com/technews?id=203038694; classtype:attempted-user; sid:10430; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|B|00|5|00|C|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12262; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|l|00|g|00|F|00|i|00|l|00|e|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|l|00|g|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24133; reference:cve,2007-2895; reference:url,moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html; classtype:attempted-user; sid:11633; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 64 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|3|00|8|00|F|00|6|00|F|00|5|00|5|00|-|00|C|00|9|00|F|00|0|00|-|00|4|00|6|00|0|00|1|00|-|00|8|00|7|00|4|00|0|00|-|00|9|00|8|00|E|00|F|00|1|00|C|00|A|00|9|00|D|00|F|00|9|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x008\x00F\x006\x00F\x005\x005\x00-\x00C\x009\x00F\x000\x00-\x004\x006\x000\x001\x00-\x008\x007\x004\x000\x00-\x009\x008\x00E\x00F\x001\x00C\x00A\x009\x00D\x00F\x009\x00A\x00(}\x00)?(?P=q122)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14215; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Persits Software XUpload ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|8|00|7|00|F|00|6|00|C|00|8|00|E|00|-|00|1|00|6|00|C|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|E|00|F|00|7|00|-|00|0|00|0|00|9|00|0|00|2|00|7|00|4|00|3|00|8|00|0|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x008\x007\x00F\x006\x00C\x008\x00E\x00-\x001\x006\x00C\x000\x00-\x001\x001\x00D\x003\x00-\x00B\x00E\x00F\x007\x00-\x000\x000\x009\x000\x002\x007\x004\x003\x008\x000\x000\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,27025; reference:bugtraq,27456; reference:bugtraq,36550; reference:cve,2007-6530; reference:cve,2008-0492; reference:cve,2009-3693; classtype:attempted-user; sid:13233; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sun Java Web Start ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|8|00|5|00|2|00|F|00|5|00|E|00|D|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|2|00|4|00|5|00|-|00|0|00|0|00|8|00|0|00|C|00|6|00|F|00|7|00|4|00|2|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25734; reference:cve,2007-5019; classtype:attempted-user; sid:12473; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CDNetworks Nefficient Download ActiveX function call unicode access"; flow:established,to_client; content:"N|00|e|00|f|00|f|00|y|00|L|00|a|00|u|00|n|00|c|00|h|00|e|00|r|00|.|00|N|00|e|00|f|00|f|00|y|00|L|00|a|00|u|00|n|00|c|00|h|00|e|00|r|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00C\x00t\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00C\x00t\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28666; reference:cve,2008-1885; reference:cve,2008-1886; classtype:attempted-user; sid:13684; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|S|00|h|00|o|00|r|00|t|00|c|00|u|00|t|00|_|00|D|00|L|00|L|00|.|00|S|00|h|00|o|00|r|00|t|00|c|00|u|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00_\x00D\x00L\x00L\x00.\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00_\x00D\x00L\x00L\x00.\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26956; reference:cve,2007-6535; classtype:attempted-user; sid:13227; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|0|00|1|00|E|00|A|00|5|00|6|00|4|00|-|00|A|00|6|00|F|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|1|00|1|00|D|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|B|00|D|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25279; reference:cve,2007-4336; classtype:attempted-user; sid:12258; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ComponentOne FlexGrid ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|0|00|A|00|6|00|3|00|B|00|8|00|6|00|-|00|4|00|B|00|2|00|1|00|-|00|1|00|1|00|d|00|3|00|-|00|B|00|D|00|9|00|5|00|-|00|D|00|4|00|2|00|6|00|E|00|F|00|2|00|C|00|7|00|9|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26467; reference:cve,2007-6028; classtype:attempted-user; sid:12734; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX 4xem VatCtrl ActiveX function call unicode access"; flow:established,to_client; content:"V|00|A|00|T|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|V|00|a|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00A\x00T\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00t\x00C\x00t\x00r\x00l\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00A\x00T\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00t\x00C\x00t\x00r\x00l\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13534; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Lycos File Upload Component ActiveX function call unicode access"; flow:established,to_client; content:"F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|.|00|F|00|U|00|p|00|l|00|o|00|a|00|d|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00.\x00F\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00.\x00F\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27411; reference:cve,2008-0443; classtype:attempted-user; sid:13353; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sony Rootkit Uninstaller ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|E|00|A|00|7|00|C|00|4|00|C|00|5|00|-|00|C|00|5|00|C|00|0|00|-|00|4|00|F|00|5|00|C|00|-|00|A|00|0|00|0|00|8|00|-|00|8|00|2|00|9|00|3|00|5|00|0|00|5|00|F|00|7|00|1|00|C|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-054; reference:url,wiki.castlecops.com/SONY_XCP_DRM_Rootkit_Detection_and_Removal_Instructions; classtype:attempted-user; sid:11251; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 20 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|E|00|2|00|3|00|3|00|A|00|F|00|F|00|-|00|8|00|B|00|D|00|5|00|-|00|4|00|5|00|7|00|E|00|-|00|B|00|7|00|F|00|0|00|-|00|7|00|0|00|2|00|D|00|B|00|E|00|A|00|5|00|A|00|8|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00E\x002\x003\x003\x00A\x00F\x00F\x00-\x008\x00B\x00D\x005\x00-\x004\x005\x007\x00E\x00-\x00B\x007\x00F\x000\x00-\x007\x000\x002\x00D\x00B\x00E\x00A\x005\x00A\x008\x002\x008\x00(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13755; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 7 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|D|00|3|00|9|00|8|00|3|00|A|00|9|00|-|00|4|00|E|00|2|00|9|00|-|00|4|00|f|00|3|00|3|00|-|00|8|00|3|00|1|00|3|00|-|00|D|00|A|00|2|00|2|00|B|00|2|00|9|00|D|00|3|00|F|00|8|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q24)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12406; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare Vielib.dll ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25118; reference:cve,2007-4058; classtype:attempted-user; sid:12206; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX function call unicode access"; flow:established,to_client; content:"A|00|v|00|i|00|F|00|i|00|x|00|.|00|A|00|v|00|i|00|F|00|i|00|x|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00v\x00i\x00F\x00i\x00x\x00.\x00A\x00v\x00i\x00F\x00i\x00x\x00e\x00r\x00(?P=q6)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00v\x00i\x00F\x00i\x00x\x00.\x00A\x00v\x00i\x00F\x00i\x00x\x00e\x00r\x00(?P=q7)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23907; reference:cve,2007-2601; classtype:attempted-user; sid:11279; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DivXBrowserPlugin ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|7|00|D|00|A|00|B|00|F|00|B|00|F|00|-|00|D|00|0|00|A|00|B|00|-|00|4|00|1|00|f|00|a|00|-|00|9|00|C|00|4|00|6|00|-|00|C|00|C|00|0|00|F|00|2|00|1|00|7|00|2|00|1|00|6|00|1|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00D\x00A\x00B\x00F\x00B\x00F\x00-\x00D\x000\x00A\x00B\x00-\x004\x001\x00f\x00a\x00-\x009\x00C\x004\x006\x00-\x00C\x00C\x000\x00F\x002\x001\x007\x002\x001\x006\x001\x006\x00(}\x00)?\5/si"; classtype:attempted-user; sid:10190; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 8 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|0|00|8|00|0|00|9|00|2|00|B|00|F|00|-|00|B|00|7|00|D|00|B|00|-|00|4|00|0|00|D|00|1|00|-|00|B|00|7|00|F|00|B|00|-|00|F|00|5|00|5|00|9|00|2|00|2|00|F|00|C|00|C|00|9|00|B|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x000\x008\x000\x009\x002\x00B\x00F\x00-\x00B\x007\x00D\x00B\x00-\x004\x000\x00D\x001\x00-\x00B\x007\x00F\x00B\x00-\x00F\x005\x005\x009\x002\x002\x00F\x00C\x00C\x009\x00B\x00E\x00(}\x00)?(?P=q140)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14103; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|A|00|1|00|6|00|2|00|2|00|4|00|9|00|-|00|F|00|2|00|C|00|5|00|-|00|4|00|8|00|5|00|1|00|-|00|8|00|A|00|D|00|C|00|-|00|F|00|C|00|5|00|8|00|C|00|B|00|4|00|2|00|4|00|2|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x001\x006\x002\x002\x004\x009\x00-\x00F\x002\x00C\x005\x00-\x004\x008\x005\x001\x00-\x008\x00A\x00D\x00C\x00-\x00F\x00C\x005\x008\x00C\x00B\x004\x002\x004\x002\x004\x003\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13439; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX function call unicode access"; flow:established,to_client; content:"W|00|e|00|b|00|e|00|x|00|U|00|C|00|F|00|O|00|b|00|j|00|e|00|c|00|t|00|.|00|W|00|e|00|b|00|e|00|x|00|U|00|C|00|F|00|O|00|b|00|j|00|e|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00.\x00W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00.\x00W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:14016; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Excel Viewer ActiveX function call unicode access"; flow:established,to_client; content:"E|00|x|00|c|00|e|00|l|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00x\x00c\x00e\x00l\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00x\x00c\x00e\x00l\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11184; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 5 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|0|00|1|00|D|00|2|00|2|00|8|00|3|00|-|00|E|00|E|00|D|00|9|00|-|00|4|00|B|00|A|00|2|00|-|00|8|00|F|00|3|00|F|00|-|00|2|00|3|00|D|00|B|00|8|00|6|00|0|00|9|00|4|00|6|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x000\x001\x00D\x002\x002\x008\x003\x00-\x00E\x00E\x00D\x009\x00-\x004\x00B\x00A\x002\x00-\x008\x00F\x003\x00F\x00-\x002\x003\x00D\x00B\x008\x006\x000\x009\x004\x006\x00E\x00B\x00(}\x00)?(?P=q90)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14097; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Norton AntiVirus ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|8|00|5|00|A|00|B|00|F|00|E|00|2|00|-|00|D|00|7|00|5|00|3|00|-|00|4|00|4|00|5|00|C|00|-|00|8|00|A|00|2|00|A|00|-|00|D|00|4|00|B|00|D|00|4|00|6|00|C|00|E|00|0|00|8|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,23822; reference:cve,2006-3456; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=529; reference:url,www.symantec.com/avcenter/security/Content/2007.05.09.html; classtype:attempted-user; sid:11269; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 5 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|4|00|9|00|3|00|0|00|4|00|b|00|-|00|1|00|9|00|8|00|d|00|-|00|4|00|b|00|8|00|1|00|-|00|8|00|2|00|5|00|0|00|-|00|2|00|9|00|4|00|4|00|5|00|e|00|d|00|9|00|9|00|c|00|2|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x004\x009\x003\x000\x004\x00b\x00-\x001\x009\x008\x00d\x00-\x004\x00b\x008\x001\x00-\x008\x002\x005\x000\x00-\x002\x009\x004\x004\x005\x00e\x00d\x009\x009\x00c\x002\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14359; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Orbit Downloader ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|F|00|1|00|D|00|4|00|9|00|4|00|B|00|-|00|0|00|C|00|E|00|F|00|-|00|4|00|4|00|6|00|8|00|-|00|9|00|6|00|C|00|9|00|-|00|3|00|8|00|6|00|E|00|2|00|E|00|4|00|D|00|E|00|C|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00F\x001\x00D\x004\x009\x004\x00B\x00-\x000\x00C\x00E\x00F\x00-\x004\x004\x006\x008\x00-\x009\x006\x00C\x009\x00-\x003\x008\x006\x00E\x002\x00E\x004\x00D\x00E\x00C\x009\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-1602; classtype:attempted-user; sid:14034; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|C|00|E|00|D|00|4|00|4|00|8|00|2|00|-|00|7|00|C|00|C|00|B|00|-|00|4|00|E|00|6|00|F|00|-|00|8|00|6|00|C|00|9|00|-|00|D|00|C|00|B|00|2|00|2|00|B|00|5|00|2|00|8|00|4|00|3|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; reference:bugtraq,27279; reference:cve,2008-4586; reference:cve,2008-4587; classtype:attempted-user; sid:13326; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|8|00|7|00|7|00|6|00|D|00|A|00|D|00|-|00|5|00|9|00|1|00|4|00|-|00|4|00|2|00|A|00|7|00|-|00|9|00|1|00|3|00|9|00|-|00|8|00|F|00|D|00|7|00|C|00|7|00|5|00|6|00|B|00|B|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,23853; reference:cve,2007-2563; reference:url,moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html; classtype:attempted-user; sid:11215; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Instant Support DataManager ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|4|00|C|00|1|00|B|00|8|00|7|00|C|00|-|00|3|00|3|00|4|00|2|00|-|00|4|00|4|00|5|00|F|00|-|00|9|00|B|00|5|00|E|00|-|00|3|00|6|00|5|00|F|00|F|00|3|00|3|00|0|00|A|00|3|00|A|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x004\x00C\x001\x00B\x008\x007\x00C\x00-\x003\x003\x004\x002\x00-\x004\x004\x005\x00F\x00-\x009\x00B\x005\x00E\x00-\x003\x006\x005\x00F\x00F\x003\x003\x000\x00A\x003\x00A\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,29530; reference:bugtraq,29531; reference:bugtraq,29532; reference:bugtraq,29533; reference:bugtraq,29534; reference:bugtraq,29535; reference:bugtraq,29536; reference:cve,2007-5605; reference:cve,2007-5606; reference:cve,2007-5607; reference:cve,2007-5608; reference:cve,2007-5610; reference:cve,2008-0952; reference:cve,2008-0953; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13858; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebEx GPCContainer ActiveX function call unicode access"; flow:established,to_client; content:"G|00|p|00|c|00|C|00|o|00|n|00|t|00|a|00|i|00|n|00|e|00|r|00|.|00|G|00|p|00|c|00|C|00|o|00|n|00|t|00|a|00|i|00|n|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00.\x00G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00.\x00G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26430; reference:cve,2007-6005; classtype:attempted-user; sid:12717; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|V|00|e|00|r|00|I|00|n|00|f|00|o|00|.|00|G|00|e|00|t|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00V\x00e\x00r\x00I\x00n\x00f\x00o\x00.\x00G\x00e\x00t\x00I\x00n\x00f\x00o\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00V\x00e\x00r\x00I\x00n\x00f\x00o\x00.\x00G\x00e\x00t\x00I\x00n\x00f\x00o\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,25494; reference:cve,2007-4515; reference:url,messenger.yahoo.com/security_update.php?id=082907; classtype:attempted-user; sid:12387; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUpdate Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|p|00|d|00|a|00|t|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14313; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAstatics ActiveX function call unicode access"; flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|A|00|n|00|i|00|m|00|a|00|t|00|i|00|o|00|n|00|.|00|D|00|A|00|s|00|t|00|a|00|t|00|i|00|c|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00.\x00D\x00A\x00s\x00t\x00a\x00t\x00i\x00c\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00.\x00D\x00A\x00s\x00t\x00a\x00t\x00i\x00c\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11246; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Widgets Engine ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|D|00|P|00|C|00|T|00|L|00|.|00|Y|00|D|00|P|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00D\x00P\x00C\x00T\x00L\x00.\x00Y\x00D\x00P\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00D\x00P\x00C\x00T\x00L\x00.\x00Y\x00D\x00P\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25086; reference:cve,2007-4034; reference:url,help.yahoo.com/l/us/yahoo/widgets/security/security-08.html; classtype:attempted-user; sid:12196; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 69 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|7|00|3|00|B|00|A|00|E|00|F|00|A|00|-|00|E|00|E|00|6|00|5|00|-|00|4|00|9|00|4|00|D|00|-|00|B|00|E|00|D|00|B|00|-|00|D|00|D|00|3|00|E|00|5|00|A|00|3|00|4|00|F|00|A|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x007\x003\x00B\x00A\x00E\x00F\x00A\x00-\x00E\x00E\x006\x005\x00-\x004\x009\x004\x00D\x00-\x00B\x00E\x00D\x00B\x00-\x00D\x00D\x003\x00E\x005\x00A\x003\x004\x00F\x00A\x009\x008\x00(}\x00)?(?P=q132)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14225; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|2|00|4|00|7|00|8|00|D|00|3|00|8|00|-|00|C|00|3|00|F|00|9|00|-|00|4|00|E|00|F|00|B|00|-|00|9|00|B|00|5|00|1|00|-|00|7|00|6|00|9|00|5|00|E|00|C|00|A|00|0|00|5|00|6|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26656; reference:cve,2007-6228; classtype:attempted-user; sid:12763; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual FoxPro ActiveX function call unicode access"; flow:established,to_client; content:"f|00|p|00|o|00|l|00|e|00|c|00|t|00|l|00|.|00|f|00|p|00|o|00|l|00|e|00|c|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00.\x00f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00.\x00f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; classtype:attempted-user; sid:12420; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call unicode access"; flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13441; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPoll Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|8|00|e|00|7|00|2|00|e|00|4|00|2|00|-|00|2|00|d|00|7|00|9|00|-|00|4|00|d|00|9|00|4|00|-|00|9|00|9|00|f|00|6|00|-|00|c|00|8|00|5|00|9|00|f|00|3|00|a|00|4|00|6|00|d|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x008\x00e\x007\x002\x00e\x004\x002\x00-\x002\x00d\x007\x009\x00-\x004\x00d\x009\x004\x00-\x009\x009\x00f\x006\x00-\x00c\x008\x005\x009\x00f\x003\x00a\x004\x006\x00d\x004\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14375; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 23 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|8|00|5|00|5|00|3|00|7|00|E|00|9|00|-|00|2|00|D|00|9|00|C|00|-|00|4|00|0|00|0|00|A|00|-|00|B|00|C|00|9|00|2|00|-|00|B|00|0|00|4|00|F|00|4|00|D|00|9|00|F|00|F|00|1|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x008\x005\x005\x003\x007\x00E\x009\x00-\x002\x00D\x009\x00C\x00-\x004\x000\x000\x00A\x00-\x00B\x00C\x009\x002\x00-\x00B\x000\x004\x00F\x004\x00D\x009\x00F\x00F\x001\x007\x00D\x00(}\x00)?(?P=q32)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14133; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GlobalLink glitemflat.dll ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|D|00|1|00|4|00|2|00|5|00|D|00|4|00|-|00|E|00|2|00|F|00|C|00|-|00|4|00|A|00|5|00|2|00|-|00|B|00|D|00|A|00|9|00|-|00|B|00|9|00|D|00|C|00|A|00|C|00|5|00|E|00|F|00|5|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25586; reference:cve,2007-4802; classtype:attempted-user; sid:12429; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Learn2 STRunner ActiveX function call unicode access"; flow:established,to_client; content:"S|00|T|00|R|00|u|00|n|00|n|00|e|00|r|00|.|00|P|00|o|00|p|00|u|00|p|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00T\x00R\x00u\x00n\x00n\x00e\x00r\x00.\x00P\x00o\x00p\x00u\x00p\x001\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00T\x00R\x00u\x00n\x00n\x00e\x00r\x00.\x00P\x00o\x00p\x00u\x00p\x001\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28058; reference:cve,2007-6252; classtype:attempted-user; sid:13546; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HardwareCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|d|00|1|00|8|00|8|00|a|00|8|00|-|00|f|00|3|00|c|00|4|00|-|00|4|00|9|00|f|00|e|00|-|00|9|00|6|00|e|00|b|00|-|00|a|00|4|00|1|00|6|00|2|00|5|00|9|00|d|00|7|00|c|00|4|00|a|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00d\x001\x008\x008\x00a\x008\x00-\x00f\x003\x00c\x004\x00-\x004\x009\x00f\x00e\x00-\x009\x006\x00e\x00b\x00-\x00a\x004\x001\x006\x002\x005\x009\x00d\x007\x00c\x004\x00a\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14361; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LexRefBilingualTextContext ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|5|00|C|00|1|00|1|00|6|00|0|00|4|00|-|00|5|00|C|00|5|00|1|00|-|00|4|00|8|00|B|00|2|00|-|00|B|00|7|00|8|00|6|00|-|00|D|00|F|00|5|00|E|00|5|00|1|00|D|00|1|00|0|00|E|00|C|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x005\x00C\x001\x001\x006\x000\x004\x00-\x005\x00C\x005\x001\x00-\x004\x008\x00B\x002\x00-\x00B\x007\x008\x006\x00-\x00D\x00F\x005\x00E\x005\x001\x00D\x001\x000\x00E\x00C\x009\x00(}\x00)?\5/si"; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10143; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EDraw Office Viewer Component ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|B|00|A|00|2|00|1|00|C|00|2|00|2|00|-|00|5|00|3|00|A|00|5|00|-|00|4|00|6|00|3|00|F|00|-|00|B|00|B|00|E|00|8|00|-|00|5|00|C|00|F|00|7|00|F|00|F|00|A|00|0|00|1|00|3|00|2|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25344; reference:bugtraq,25593; reference:bugtraq,25892; reference:cve,2007-3169; reference:cve,2007-4420; reference:cve,2007-4821; classtype:attempted-user; sid:12431; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Outlook View OVCtl ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|6|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x006\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?\5/si"; reference:bugtraq,3025; reference:bugtraq,3026; reference:cve,2001-0538; reference:url,browserfun.blogspot.com/2006/07/mobb-20-ovctl-newdefaultitem.html; reference:url,osvdb.org/27112; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-038; classtype:attempted-user; sid:9819; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 6 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|9|00|C|00|4|00|6|00|2|00|E|00|1|00|-|00|C|00|D|00|4|00|1|00|-|00|4|00|9|00|E|00|3|00|-|00|9|00|E|00|C|00|2|00|-|00|D|00|3|00|0|00|5|00|1|00|5|00|5|00|7|00|1|00|8|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x00C\x004\x006\x002\x00E\x001\x00-\x00C\x00D\x004\x001\x00-\x004\x009\x00E\x003\x00-\x009\x00E\x00C\x002\x00-\x00D\x003\x000\x005\x001\x005\x005\x007\x001\x008\x00C\x001\x00(}\x00)?(?P=q112)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14099; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX function call unicode access"; flow:established,to_client; content:"C|00|r|00|y|00|p|00|t|00|o|00|X|00|.|00|C|00|r|00|y|00|p|00|t|00|o|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00r\x00y\x00p\x00t\x00o\x00X\x00.\x00C\x00r\x00y\x00p\x00t\x00o\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00r\x00y\x00p\x00t\x00o\x00X\x00.\x00C\x00r\x00y\x00p\x00t\x00o\x00O\x00b\x00j\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25609; reference:cve,2007-4903; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12441; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 32 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|C|00|A|00|7|00|3|00|E|00|8|00|B|00|-|00|B|00|5|00|8|00|4|00|-|00|4|00|5|00|3|00|3|00|-|00|A|00|4|00|0|00|5|00|-|00|3|00|D|00|6|00|F|00|9|00|C|00|0|00|1|00|2|00|B|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00C\x00A\x007\x003\x00E\x008\x00B\x00-\x00B\x005\x008\x004\x00-\x004\x005\x003\x003\x00-\x00A\x004\x000\x005\x00-\x003\x00D\x006\x00F\x009\x00C\x000\x001\x002\x00B\x005\x006\x00(}\x00)?(?P=q52)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14151; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools JPEG 2000 COM Object ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24040; reference:cve,2007-2771; reference:url,moaxb.blogspot.com/2007/05/moaxb-18-leadtools-jpeg-2000-com.html; classtype:attempted-user; sid:11629; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Word Viewer ActiveX function call unicode access"; flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q18)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11190; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PBEmail7 ActiveX function call unicode access"; flow:established,to_client; content:"P|00|B|00|E|00|m|00|a|00|i|00|l|00|7|00|.|00|E|00|m|00|a|00|i|00|l|00|S|00|e|00|n|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00B\x00E\x00m\x00a\x00i\x00l\x007\x00.\x00E\x00m\x00a\x00i\x00l\x00S\x00e\x00n\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)P\x00B\x00E\x00m\x00a\x00i\x00l\x007\x00.\x00E\x00m\x00a\x00i\x00l\x00S\x00e\x00n\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26058; reference:cve,2007-5446; classtype:attempted-user; sid:12647; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|F|00|8|00|1|00|0|00|A|00|F|00|C|00|-|00|B|00|B|00|5|00|F|00|-|00|4|00|4|00|1|00|6|00|-|00|B|00|E|00|6|00|3|00|-|00|E|00|0|00|1|00|D|00|D|00|1|00|1|00|7|00|B|00|D|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,27579; reference:cve,2008-0624; classtype:attempted-user; sid:13427; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|4|00|0|00|7|00|1|00|5|00|3|00|D|00|-|00|0|00|2|00|2|00|F|00|-|00|4|00|C|00|D|00|2|00|-|00|8|00|B|00|F|00|F|00|-|00|4|00|6|00|5|00|5|00|6|00|9|00|B|00|C|00|5|00|D|00|B|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:12084; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Hewlett Packard HPQVWOCX.DL ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|A|00|7|00|2|00|6|00|B|00|F|00|9|00|-|00|E|00|D|00|2|00|F|00|-|00|4|00|6|00|1|00|B|00|-|00|9|00|4|00|4|00|7|00|-|00|C|00|D|00|5|00|C|00|7|00|D|00|6|00|6|00|C|00|E|00|8|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23941; reference:bugtraq,24793; reference:cve,2007-2656; reference:cve,2007-3649; classtype:attempted-user; sid:11292; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 10 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|0|00|F|00|8|00|9|00|6|00|7|00|E|00|-|00|3|00|4|00|A|00|6|00|-|00|4|00|7|00|4|00|a|00|-|00|8|00|3|00|7|00|A|00|-|00|C|00|E|00|C|00|1|00|E|00|7|00|D|00|A|00|C|00|5|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12412; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX function call unicode access"; flow:established,to_client; content:"C|00|o|00|m|00|m|00|o|00|n|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|.|00|I|00|T|00|R|00|M|00|L|00|e|00|g|00|e|00|n|00|d|00|s|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,28809; reference:cve,2008-1786; classtype:attempted-user; sid:14028; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Move Networks Media Player ActiveX function call unicode access"; flow:established,to_client; content:"Q|00|S|00|P|00|2|00|I|00|E|00|.|00|Q|00|S|00|P|00|2|00|I|00|E|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Q\x00S\x00P\x002\x00I\x00E\x00.\x00Q\x00S\x00P\x002\x00I\x00E\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Q\x00S\x00P\x002\x00I\x00E\x00.\x00Q\x00S\x00P\x002\x00I\x00E\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27438; reference:cve,2008-0477; classtype:attempted-user; sid:13351; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SignKorea SKCommAX ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|C|00|5|00|D|00|5|00|1|00|1|00|8|00|-|00|9|00|F|00|D|00|E|00|-|00|4|00|A|00|3|00|E|00|-|00|8|00|4|00|F|00|3|00|-|00|C|00|2|00|B|00|7|00|1|00|1|00|7|00|4|00|0|00|E|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00C\x005\x00D\x005\x001\x001\x008\x00-\x009\x00F\x00D\x00E\x00-\x004\x00A\x003\x00E\x00-\x008\x004\x00F\x003\x00-\x00C\x002\x00B\x007\x001\x001\x007\x004\x000\x00E\x007\x000\x00(}\x00)?\5/si"; classtype:attempted-user; sid:10405; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare Vielib.dll ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|C|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25118; reference:cve,2007-4058; classtype:attempted-user; sid:12204; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 26 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|C|00|2|00|8|00|B|00|7|00|5|00|F|00|-|00|F|00|9|00|F|00|6|00|-|00|4|00|C|00|9|00|2|00|-|00|A|00|F|00|9|00|1|00|-|00|1|00|4|00|A|00|3|00|A|00|5|00|1|00|C|00|4|00|9|00|F|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00C\x002\x008\x00B\x007\x005\x00F\x00-\x00F\x009\x00F\x006\x00-\x004\x00C\x009\x002\x00-\x00A\x00F\x009\x001\x00-\x001\x004\x00A\x003\x00A\x005\x001\x00C\x004\x009\x00F\x00B\x00(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14139; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14281; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Novell iPrint ActiveX function call unicode access"; flow:established,to_client; content:"i|00|e|00|n|00|i|00|p|00|p|00|.|00|N|00|o|00|v|00|e|00|l|00|l|00| |00|i|00|P|00|r|00|i|00|n|00|t|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)i\x00e\x00n\x00i\x00p\x00p\x00.\x00N\x00o\x00v\x00e\x00l\x00l\x00(\s\x00)*i\x00P\x00r\x00i\x00n\x00t\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)i\x00e\x00n\x00i\x00p\x00p\x00.\x00N\x00o\x00v\x00e\x00l\x00l\x00(\s\x00)*i\x00P\x00r\x00i\x00n\x00t\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,27939; reference:bugtraq,29736; reference:bugtraq,30813; reference:bugtraq,30986; reference:bugtraq,31370; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2432; reference:cve,2008-2436; reference:cve,2008-2908; reference:url,secunia.com/advisories/40782; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:13526; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 42 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|2|00|3|00|3|00|E|00|6|00|5|00|4|00|-|00|5|00|3|00|F|00|F|00|-|00|4|00|3|00|A|00|A|00|-|00|B|00|1|00|E|00|2|00|-|00|6|00|0|00|D|00|A|00|2|00|E|00|8|00|9|00|A|00|1|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x003\x003\x00E\x006\x005\x004\x00-\x005\x003\x00F\x00F\x00-\x004\x003\x00A\x00A\x00-\x00B\x001\x00E\x002\x00-\x006\x000\x00D\x00A\x002\x00E\x008\x009\x00A\x001\x00E\x00C\x00(}\x00)?(?P=q74)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14171; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|C|00|6|00|6|00|9|00|8|00|D|00|9|00|-|00|7|00|B|00|E|00|4|00|-|00|4|00|1|00|2|00|2|00|-|00|8|00|E|00|C|00|5|00|-|00|2|00|9|00|1|00|D|00|8|00|4|00|D|00|B|00|D|00|4|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00C\x006\x006\x009\x008\x00D\x009\x00-\x007\x00B\x00E\x004\x00-\x004\x001\x002\x002\x00-\x008\x00E\x00C\x005\x00-\x002\x009\x001\x00D\x008\x004\x00D\x00B\x00D\x004\x00A\x000\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13420; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BitDefender Online Scanner ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|D|00|8|00|6|00|D|00|D|00|B|00|5|00|-|00|B|00|D|00|F|00|9|00|-|00|4|00|4|00|1|00|B|00|-|00|9|00|E|00|9|00|E|00|-|00|D|00|4|00|7|00|3|00|0|00|F|00|4|00|E|00|E|00|4|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00D\x008\x006\x00D\x00D\x00B\x005\x00-\x00B\x00D\x00F\x009\x00-\x004\x004\x001\x00B\x00-\x009\x00E\x009\x00E\x00-\x00D\x004\x007\x003\x000\x00F\x004\x00E\x00E\x004\x009\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,26210; reference:cve,2007-5775; classtype:attempted-user; sid:12748; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GraceNote CDDB ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|4|00|B|00|A|00|F|00|F|00|0|00|2|00|-|00|F|00|9|00|0|00|7|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|8|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|4|00|C|00|3|00|B|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; reference:bugtraq,18678; reference:bugtraq,23567; reference:cve,2006-3134; reference:cve,2007-0443; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:10987; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CA BrightStor ListCtrl ActiveX function call unicode access"; flow:established,to_client; content:"L|00|I|00|S|00|T|00|C|00|T|00|R|00|L|00|.|00|L|00|i|00|s|00|t|00|C|00|t|00|r|00|l|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00I\x00S\x00T\x00C\x00T\x00R\x00L\x00.\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00I\x00S\x00T\x00C\x00T\x00R\x00L\x00.\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:13624; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 30 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|D|00|B|00|C|00|7|00|A|00|0|00|4|00|-|00|B|00|4|00|7|00|8|00|-|00|4|00|1|00|D|00|5|00|-|00|B|00|E|00|0|00|5|00|-|00|5|00|5|00|4|00|5|00|D|00|5|00|6|00|5|00|B|00|5|00|9|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00D\x00B\x00C\x007\x00A\x000\x004\x00-\x00B\x004\x007\x008\x00-\x004\x001\x00D\x005\x00-\x00B\x00E\x000\x005\x00-\x005\x005\x004\x005\x00D\x005\x006\x005\x00B\x005\x009\x00C\x00(}\x00)?(?P=q48)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14147; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 65 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|5|00|2|00|6|00|2|00|3|00|D|00|C|00|-|00|2|00|B|00|B|00|4|00|-|00|4|00|C|00|1|00|C|00|-|00|A|00|D|00|F|00|B|00|-|00|5|00|7|00|A|00|2|00|1|00|8|00|F|00|1|00|A|00|5|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x002\x006\x002\x003\x00D\x00C\x00-\x002\x00B\x00B\x004\x00-\x004\x00C\x001\x00C\x00-\x00A\x00D\x00F\x00B\x00-\x005\x007\x00A\x002\x001\x008\x00F\x001\x00A\x005\x00E\x00E\x00(}\x00)?(?P=q124)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14217; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus SameTime STJNILoader ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|2|00|6|00|1|00|E|00|E|00|4|00|2|00|-|00|3|00|1|00|8|00|E|00|-|00|4|00|9|00|0|00|A|00|-|00|A|00|E|00|8|00|F|00|-|00|7|00|7|00|6|00|4|00|9|00|D|00|B|00|A|00|1|00|E|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x002\x006\x001\x00E\x00E\x004\x002\x00-\x003\x001\x008\x00E\x00-\x004\x009\x000\x00A\x00-\x00A\x00E\x008\x00F\x00-\x007\x007\x006\x004\x009\x00D\x00B\x00A\x001\x00E\x00C\x00A\x00(}\x00)?\5/si"; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10416; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX 4xem VatCtrl ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|1|00|0|00|D|00|0|00|C|00|B|00|C|00|-|00|8|00|B|00|1|00|7|00|-|00|4|00|8|00|D|00|1|00|-|00|B|00|2|00|9|00|4|00|-|00|1|00|A|00|3|00|3|00|8|00|D|00|D|00|2|00|E|00|B|00|3|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13532; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ebCrypt PRNGenerator ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|1|00|E|00|7|00|5|00|0|00|5|00|E|00|-|00|B|00|B|00|F|00|D|00|-|00|4|00|2|00|B|00|F|00|-|00|9|00|8|00|C|00|9|00|-|00|6|00|0|00|2|00|2|00|0|00|5|00|A|00|1|00|5|00|0|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,25787; reference:cve,2007-5110; classtype:attempted-user; sid:12605; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappsdk.CuiObj ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|8|00|F|00|1|00|E|00|0|00|7|00|B|00|-|00|6|00|0|00|9|00|F|00|-|00|4|00|b|00|8|00|7|00|-|00|9|00|D|00|5|00|7|00|-|00|A|00|8|00|7|00|9|00|0|00|2|00|3|00|A|00|7|00|5|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00F\x001\x00E\x000\x007\x00B\x00-\x006\x000\x009\x00F\x00-\x004\x00b\x008\x007\x00-\x009\x00D\x005\x007\x00-\x00A\x008\x007\x009\x000\x002\x003\x00A\x007\x005\x00F\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14399; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX function call unicode access"; flow:established,to_client; content:"D|00|S|00|K|00|e|00|r|00|n|00|e|00|l|00|.|00|L|00|M|00|D|00|S|00|K|00|e|00|r|00|n|00|e|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00.\x00L\x00M\x00D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00.\x00L\x00M\x00D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23838; reference:cve,2007-2564; reference:url,moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html; classtype:attempted-user; sid:11213; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 43 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|9|00|8|00|1|00|B|00|9|00|7|00|8|00|-|00|7|00|0|00|D|00|9|00|-|00|4|00|0|00|B|00|9|00|-|00|B|00|0|00|0|00|E|00|-|00|9|00|0|00|3|00|B|00|6|00|F|00|C|00|8|00|C|00|A|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x008\x001\x00B\x009\x007\x008\x00-\x007\x000\x00D\x009\x00-\x004\x000\x00B\x009\x00-\x00B\x000\x000\x00E\x00-\x009\x000\x003\x00B\x006\x00F\x00C\x008\x00C\x00A\x008\x00A\x00(}\x00)?(?P=q76)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14173; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CEnroll.CEnroll.2 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|2|00|7|00|6|00|9|00|8|00|E|00|4|00|-|00|E|00|7|00|3|00|0|00|-|00|4|00|E|00|5|00|C|00|-|00|A|00|2|00|B|00|1|00|-|00|2|00|1|00|4|00|9|00|0|00|A|00|7|00|0|00|C|00|8|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x002\x007\x006\x009\x008\x00E\x004\x00-\x00E\x007\x003\x000\x00-\x004\x00E\x005\x00C\x00-\x00A\x002\x00B\x001\x00-\x002\x001\x004\x009\x000\x00A\x007\x000\x00C\x008\x00A\x001\x00(}\x00)?\5/si"; reference:url,browserfun.blogspot.com/2006/07/mobb-21-cenroll-stringtobinary.html; reference:url,osvdb.org/27230; classtype:attempted-user; sid:9818; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MSN Heartbeat ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|4|00|1|00|9|00|D|00|6|00|-|00|A|00|8|00|4|00|6|00|-|00|4|00|5|00|1|00|4|00|-|00|9|00|F|00|A|00|D|00|-|00|9|00|7|00|E|00|8|00|2|00|6|00|C|00|8|00|4|00|8|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,11367; reference:cve,2004-0978; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12956; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL Radio AmpX ActiveX function call unicode access"; flow:established,to_client; content:"W|00|i|00|n|00|A|00|m|00|p|00|X|00|.|00|I|00|W|00|i|00|n|00|A|00|m|00|p|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00i\x00n\x00A\x00m\x00p\x00X\x00.\x00I\x00W\x00i\x00n\x00A\x00m\x00p\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)W\x00i\x00n\x00A\x00m\x00p\x00X\x00.\x00I\x00W\x00i\x00n\x00A\x00m\x00p\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26396; reference:cve,2007-5755; classtype:attempted-user; sid:12732; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUpdate Class ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|c|00|4|00|3|00|8|00|7|00|a|00|e|00|-|00|2|00|b|00|2|00|3|00|-|00|4|00|c|00|4|00|5|00|-|00|8|00|b|00|c|00|6|00|-|00|c|00|1|00|d|00|f|00|b|00|d|00|d|00|f|00|b|00|2|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00c\x004\x003\x008\x007\x00a\x00e\x00-\x002\x00b\x002\x003\x00-\x004\x00c\x004\x005\x00-\x008\x00b\x00c\x006\x00-\x00c\x001\x00d\x00f\x00b\x00d\x00d\x00f\x00b\x002\x004\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14311; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|E|00|E|00|A|00|3|00|9|00|E|00|3|00|-|00|4|00|1|00|D|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|B|00|3|00|B|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,25635; reference:cve,2007-4890; classtype:attempted-user; sid:12462; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|7|00|5|00|4|00|F|00|5|00|8|00|8|00|-|00|E|00|2|00|6|00|2|00|-|00|4|00|2|00|D|00|2|00|-|00|A|00|6|00|B|00|C|00|-|00|3|00|B|00|B|00|4|00|0|00|0|00|A|00|C|00|F|00|E|00|E|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25025; reference:cve,2007-3984; classtype:attempted-user; sid:12117; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Second Sight Software ActiveMod ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|0|00|7|00|8|00|D|00|6|00|E|00|C|00|-|00|6|00|9|00|3|00|C|00|-|00|4|00|F|00|B|00|2|00|-|00|A|00|E|00|7|00|B|00|-|00|A|00|6|00|B|00|8|00|D|00|2|00|B|00|C|00|4|00|D|00|C|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:bugtraq,23554; reference:cve,2007-1691; reference:url,www.kb.cert.org/vuls/id/962305; classtype:attempted-user; sid:10983; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools ISIS ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|I|00|s|00|i|00|s|00|.|00|L|00|E|00|A|00|D|00|I|00|s|00|i|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00.\x00L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00.\x00L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24094; reference:cve,2007-2854; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html; classtype:attempted-user; sid:11627; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 55 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|3|00|B|00|C|00|F|00|D|00|0|00|F|00|-|00|0|00|D|00|A|00|A|00|-|00|4|00|B|00|2|00|1|00|-|00|B|00|7|00|0|00|9|00|-|00|2|00|A|00|8|00|D|00|9|00|D|00|9|00|C|00|6|00|9|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x003\x00B\x00C\x00F\x00D\x000\x00F\x00-\x000\x00D\x00A\x00A\x00-\x004\x00B\x002\x001\x00-\x00B\x007\x000\x009\x00-\x002\x00A\x008\x00D\x009\x00D\x009\x00C\x006\x009\x002\x00A\x00(}\x00)?(?P=q102)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14197; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMStatusbarCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|S|00|t|00|a|00|t|00|u|00|s|00|b|00|a|00|r|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00t\x00a\x00t\x00u\x00s\x00b\x00a\x00r\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00t\x00a\x00t\x00u\x00s\x00b\x00a\x00r\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14305; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|7|00|9|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,24133; reference:cve,2007-2895; reference:url,moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html; classtype:attempted-user; sid:11631; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat HTTP 2 ActiveX function call unicode access"; flow:established,to_client; content:"C|00|H|00|I|00|L|00|K|00|A|00|T|00|H|00|T|00|T|00|P|00|L|00|i|00|b|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|H|00|t|00|t|00|p|00|R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(?P=q18)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13692; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX function call unicode access"; flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00F\x00i\x00l\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00F\x00i\x00l\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12264; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 9 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|C|00|E|00|3|00|B|00|A|00|E|00|6|00|-|00|A|00|B|00|6|00|6|00|-|00|4|00|0|00|b|00|6|00|-|00|9|00|0|00|1|00|9|00|-|00|4|00|1|00|E|00|5|00|2|00|8|00|2|00|F|00|F|00|1|00|E|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12410; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientHost Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|H|00|o|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14439; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioFile2 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|7|00|8|00|2|00|9|00|F|00|1|00|4|00|-|00|D|00|9|00|1|00|1|00|-|00|4|00|0|00|F|00|F|00|-|00|A|00|2|00|F|00|0|00|-|00|D|00|1|00|1|00|D|00|B|00|8|00|D|00|6|00|D|00|0|00|B|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x007\x008\x002\x009\x00F\x001\x004\x00-\x00D\x009\x001\x001\x00-\x004\x000\x00F\x00F\x00-\x00A\x002\x00F\x000\x00-\x00D\x001\x001\x00D\x00B\x008\x00D\x006\x00D\x000\x00B\x00C\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; reference:bugtraq,22196; reference:bugtraq,33469; reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10085; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 8 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|9|00|2|00|D|00|7|00|6|00|0|00|7|00|-|00|0|00|5|00|D|00|9|00|-|00|4|00|d|00|d|00|8|00|-|00|B|00|6|00|8|00|B|00|-|00|D|00|4|00|5|00|8|00|9|00|4|00|8|00|F|00|B|00|8|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q27)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12408; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientHosts Class ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|7|00|0|00|5|00|1|00|f|00|d|00|9|00|-|00|3|00|e|00|4|00|e|00|-|00|4|00|f|00|7|00|9|00|-|00|b|00|1|00|a|00|c|00|-|00|0|00|a|00|2|00|f|00|9|00|3|00|3|00|8|00|f|00|8|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x007\x000\x005\x001\x00f\x00d\x009\x00-\x003\x00e\x004\x00e\x00-\x004\x00f\x007\x009\x00-\x00b\x001\x00a\x00c\x00-\x000\x00a\x002\x00f\x009\x003\x003\x008\x00f\x008\x000\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14287; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 8 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|8|00|4|00|F|00|2|00|9|00|3|00|3|00|-|00|6|00|B|00|D|00|D|00|-|00|4|00|E|00|5|00|F|00|-|00|B|00|1|00|B|00|A|00|-|00|A|00|8|00|D|00|9|00|9|00|B|00|6|00|0|00|3|00|6|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x008\x004\x00F\x002\x009\x003\x003\x00-\x006\x00B\x00D\x00D\x00-\x004\x00E\x005\x00F\x00-\x00B\x001\x00B\x00A\x00-\x00A\x008\x00D\x009\x009\x00B\x006\x000\x003\x006\x004\x009\x00(}\x00)?(?P=q42)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13731; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|5|00|1|00|8|00|4|00|A|00|3|00|9|00|-|00|C|00|B|00|D|00|F|00|-|00|4|00|A|00|4|00|F|00|-|00|A|00|C|00|1|00|A|00|-|00|7|00|A|00|4|00|5|00|A|00|8|00|5|00|2|00|C|00|8|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,25494; reference:cve,2007-4515; reference:url,messenger.yahoo.com/security_update.php?id=082907; classtype:attempted-user; sid:12385; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX function call unicode access"; flow:established,to_client; content:"R|00|t|00|s|00|p|00|V|00|a|00|P|00|g|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|R|00|t|00|s|00|p|00|V|00|a|00|P|00|g|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13538; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 1 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|C|00|3|00|7|00|8|00|8|00|6|00|4|00|-|00|D|00|5|00|C|00|4|00|-|00|4|00|D|00|9|00|C|00|-|00|8|00|5|00|4|00|C|00|-|00|4|00|3|00|2|00|E|00|3|00|B|00|E|00|C|00|9|00|C|00|C|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00C\x003\x007\x008\x008\x006\x004\x00-\x00D\x005\x00C\x004\x00-\x004\x00D\x009\x00C\x00-\x008\x005\x004\x00C\x00-\x004\x003\x002\x00E\x003\x00B\x00E\x00C\x009\x00C\x00C\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26967; reference:cve,2007-6513; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13229; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RemoteBrowseDlg Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|B|00|r|00|o|00|w|00|s|00|e|00|D|00|l|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00B\x00r\x00o\x00w\x00s\x00e\x00D\x00l\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00B\x00r\x00o\x00w\x00s\x00e\x00D\x00l\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14405; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 6 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|2|00|6|00|6|00|6|00|9|00|0|00|-|00|b|00|4|00|1|00|2|00|-|00|4|00|a|00|6|00|c|00|-|00|a|00|0|00|7|00|2|00|-|00|2|00|e|00|9|00|7|00|c|00|e|00|8|00|6|00|a|00|0|00|b|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x002\x006\x006\x006\x009\x000\x00-\x00b\x004\x001\x002\x00-\x004\x00a\x006\x00c\x00-\x00a\x000\x007\x002\x00-\x002\x00e\x009\x007\x00c\x00e\x008\x006\x00a\x000\x00b\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14365; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|4|00|A|00|0|00|6|00|6|00|9|00|7|00|-|00|C|00|0|00|E|00|7|00|-|00|4|00|B|00|B|00|6|00|-|00|8|00|C|00|3|00|B|00|-|00|E|00|0|00|1|00|0|00|1|00|6|00|A|00|4|00|4|00|0|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x004\x00A\x000\x006\x006\x009\x007\x00-\x00C\x000\x00E\x007\x00-\x004\x00B\x00B\x006\x00-\x008\x00C\x003\x00B\x00-\x00E\x000\x001\x000\x001\x006\x00A\x004\x004\x000\x008\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,30889; reference:bugtraq,30891; reference:cve,2008-4048; reference:cve,2008-4049; classtype:attempted-user; sid:14240; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 18 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|6|00|8|00|6|00|6|00|F|00|9|00|-|00|B|00|6|00|7|00|C|00|-|00|4|00|B|00|2|00|4|00|-|00|9|00|9|00|5|00|7|00|-|00|F|00|9|00|1|00|E|00|9|00|1|00|E|00|7|00|8|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x006\x008\x006\x006\x00F\x009\x00-\x00B\x006\x007\x00C\x00-\x004\x00B\x002\x004\x00-\x009\x009\x005\x007\x00-\x00F\x009\x001\x00E\x009\x001\x00E\x007\x008\x008\x00D\x00C\x00(}\x00)?(?P=q21)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13751; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|7|00|C|00|E|00|9|00|7|00|C|00|5|00|-|00|A|00|B|00|E|00|6|00|-|00|4|00|2|00|9|00|A|00|-|00|B|00|6|00|B|00|D|00|-|00|3|00|B|00|D|00|1|00|3|00|3|00|3|00|A|00|0|00|8|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26956; reference:cve,2007-6535; classtype:attempted-user; sid:13225; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PPStream PowerList ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|0|00|C|00|2|00|C|00|2|00|8|00|6|00|-|00|B|00|D|00|E|00|8|00|-|00|4|00|4|00|1|00|B|00|-|00|B|00|7|00|3|00|D|00|-|00|A|00|F|00|A|00|2|00|2|00|D|00|9|00|1|00|4|00|D|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,26580; classtype:attempted-user; sid:12756; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Instant Support ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|5|00|6|00|B|00|F|00|4|00|B|00|7|00|-|00|A|00|E|00|3|00|A|00|-|00|4|00|3|00|6|00|5|00|-|00|B|00|D|00|8|00|8|00|-|00|9|00|5|00|A|00|7|00|5|00|A|00|F|00|8|00|F|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24730; reference:cve,2007-3554; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; classtype:attempted-user; sid:12063; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 7 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|1|00|4|00|7|00|3|00|C|00|F|00|B|00|-|00|6|00|6|00|B|00|6|00|-|00|4|00|5|00|B|00|8|00|-|00|8|00|F|00|B|00|3|00|-|00|2|00|B|00|C|00|9|00|C|00|1|00|F|00|D|00|8|00|7|00|B|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x004\x007\x003\x00C\x00F\x00B\x00-\x006\x006\x00B\x006\x00-\x004\x005\x00B\x008\x00-\x008\x00F\x00B\x003\x00-\x002\x00B\x00C\x009\x00C\x001\x00F\x00D\x008\x007\x00B\x00A\x00(}\x00)?(?P=q134)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14101; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 2 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|7|00|1|00|D|00|C|00|2|00|5|00|2|00|-|00|6|00|F|00|E|00|1|00|-|00|4|00|D|00|5|00|9|00|-|00|9|00|0|00|5|00|3|00|-|00|E|00|4|00|C|00|F|00|5|00|0|00|A|00|B|00|9|00|9|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x001\x00D\x00C\x002\x005\x002\x00-\x006\x00F\x00E\x001\x00-\x004\x00D\x005\x009\x00-\x009\x000\x005\x003\x00-\x00E\x004\x00C\x00F\x005\x000\x00A\x00B\x009\x009\x00D\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14321; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|M|00|P|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00M\x00P\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q26)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00M\x00P\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q27)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14047; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 16 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|6|00|0|00|4|00|E|00|C|00|1|00|9|00|-|00|E|00|0|00|0|00|9|00|-|00|4|00|D|00|C|00|B|00|-|00|A|00|B|00|C|00|5|00|-|00|B|00|B|00|9|00|5|00|B|00|F|00|9|00|2|00|F|00|D|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x006\x000\x004\x00E\x00C\x001\x009\x00-\x00E\x000\x000\x009\x00-\x004\x00D\x00C\x00B\x00-\x00A\x00B\x00C\x005\x00-\x00B\x00B\x009\x005\x00B\x00F\x009\x002\x00F\x00D\x008\x00B\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14119; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX function call unicode access"; flow:established,to_client; content:"S|00|o|00|f|00|t|00|A|00|r|00|t|00|i|00|s|00|a|00|n|00|s|00|.|00|F|00|i|00|l|00|e|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00o\x00f\x00t\x00A\x00r\x00t\x00i\x00s\x00a\x00n\x00s\x00.\x00F\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00o\x00f\x00t\x00A\x00r\x00t\x00i\x00s\x00a\x00n\x00s\x00.\x00F\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:14234; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Messenger CYFT ActiveX function call unicode access"; flow:established,to_client; content:"f|00|t|00|6|00|0|00|.|00|Y|00|F|00|T|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)f\x00t\x006\x000\x00.\x00Y\x00F\x00T\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)f\x00t\x006\x000\x00.\x00Y\x00F\x00T\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25727; reference:cve,2007-5017; classtype:attempted-user; sid:12479; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMAppSdkUtil Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|A|00|p|00|p|00|S|00|d|00|k|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00A\x00p\x00p\x00S\x00d\x00k\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00A\x00p\x00p\x00S\x00d\x00k\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14427; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 70 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|4|00|C|00|9|00|7|00|9|00|2|00|5|00|-|00|C|00|1|00|9|00|4|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|8|00|3|00|1|00|-|00|E|00|A|00|B|00|B|00|D|00|0|00|2|00|8|00|0|00|8|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x004\x00C\x009\x007\x009\x002\x005\x00-\x00C\x001\x009\x004\x00-\x004\x005\x005\x001\x00-\x008\x008\x003\x001\x00-\x00E\x00A\x00B\x00B\x00D\x000\x002\x008\x000\x008\x008\x005\x00(}\x00)?(?P=q136)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14227; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 60 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|6|00|1|00|4|00|C|00|4|00|9|00|A|00|-|00|0|00|B|00|7|00|D|00|-|00|4|00|E|00|0|00|D|00|-|00|A|00|8|00|7|00|7|00|-|00|3|00|8|00|C|00|C|00|C|00|F|00|E|00|7|00|D|00|5|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x006\x001\x004\x00C\x004\x009\x00A\x00-\x000\x00B\x007\x00D\x00-\x004\x00E\x000\x00D\x00-\x00A\x008\x007\x007\x00-\x003\x008\x00C\x00C\x00C\x00F\x00E\x007\x00D\x005\x008\x009\x00(}\x00)?(?P=q114)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14207; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebEx GPCContainer ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|0|00|6|00|E|00|2|00|E|00|9|00|9|00|-|00|0|00|A|00|A|00|1|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|B|00|A|00|6|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|2|00|A|00|A|00|7|00|5|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26430; reference:cve,2007-6005; classtype:attempted-user; sid:12715; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Learn2 STRunner ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|B|00|7|00|2|00|C|00|C|00|A|00|4|00|-|00|5|00|F|00|1|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|C|00|B|00|5|00|-|00|0|00|0|00|0|00|0|00|C|00|0|00|E|00|C|00|9|00|F|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,28058; reference:cve,2007-6252; classtype:attempted-user; sid:13544; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|5|00|8|00|3|00|0|00|F|00|F|00|9|00|-|00|D|00|9|00|E|00|6|00|-|00|4|00|F|00|4|00|1|00|-|00|8|00|6|00|E|00|D|00|-|00|B|00|2|00|6|00|6|00|9|00|3|00|3|00|D|00|8|00|E|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13536; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 24 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|C|00|2|00|D|00|E|00|2|00|E|00|6|00|-|00|2|00|A|00|D|00|1|00|-|00|4|00|3|00|0|00|1|00|-|00|A|00|6|00|A|00|7|00|-|00|D|00|F|00|3|00|6|00|4|00|8|00|5|00|8|00|E|00|F|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00C\x002\x00D\x00E\x002\x00E\x006\x00-\x002\x00A\x00D\x001\x00-\x004\x003\x000\x001\x00-\x00A\x006\x00A\x007\x00-\x00D\x00F\x003\x006\x004\x008\x005\x008\x00E\x00F\x000\x001\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14135; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RegVmsCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|b|00|c|00|3|00|4|00|d|00|1|00|5|00|-|00|e|00|e|00|9|00|2|00|-|00|4|00|6|00|b|00|3|00|-|00|8|00|c|00|6|00|a|00|-|00|0|00|3|00|d|00|e|00|5|00|8|00|9|00|a|00|b|00|7|00|2|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00b\x00c\x003\x004\x00d\x001\x005\x00-\x00e\x00e\x009\x002\x00-\x004\x006\x00b\x003\x00-\x008\x00c\x006\x00a\x00-\x000\x003\x00d\x00e\x005\x008\x009\x00a\x00b\x007\x002\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14407; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office 2000 and 2002 Web Components Spreadsheet ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|1|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,4453; reference:cve,2002-0860; reference:cve,2006-4695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:13467; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CA BrightStor ListCtrl ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|F|00|6|00|E|00|F|00|F|00|F|00|3|00|-|00|4|00|5|00|5|00|8|00|-|00|4|00|C|00|4|00|C|00|-|00|A|00|D|00|A|00|F|00|-|00|A|00|8|00|7|00|8|00|9|00|1|00|C|00|5|00|F|00|3|00|A|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,28268; reference:cve,2008-1472; classtype:attempted-user; sid:13622; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|s|00|u|00|a|00|l|00|F|00|o|00|x|00|p|00|r|00|o|00|.|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00s\x00u\x00a\x00l\x00F\x00o\x00x\x00p\x00r\x00o\x00.\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00s\x00u\x00a\x00l\x00F\x00o\x00x\x00p\x00r\x00o\x00.\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,27205; reference:cve,2008-0236; classtype:attempted-user; sid:13306; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office Viewer ActiveX function call unicode access"; flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q13)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,23811; reference:bugtraq,33243; reference:bugtraq,33283; reference:cve,2007-2588; reference:cve,2009-0382; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:11202; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Word Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|2|00|B|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x002\x00B\x00F\x002\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23784; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2496; reference:url,moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html; classtype:attempted-user; sid:11188; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|7|00|7|00|8|00|4|00|9|00|B|00|6|00|-|00|6|00|1|00|2|00|5|00|-|00|4|00|4|00|6|00|6|00|-|00|8|00|8|00|D|00|C|00|-|00|4|00|8|00|5|00|5|00|C|00|0|00|1|00|4|00|A|00|0|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24656; reference:cve,2007-3493; reference:url,nctsoft.com/products/NCTAudioStudio2/; classtype:attempted-user; sid:12016; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PBEmail7 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|0|00|C|00|0|00|F|00|D|00|C|00|B|00|-|00|5|00|3|00|B|00|E|00|-|00|4|00|D|00|B|00|3|00|-|00|8|00|6|00|9|00|D|00|-|00|3|00|2|00|B|00|F|00|2|00|D|00|A|00|D|00|0|00|D|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26058; reference:cve,2007-5446; classtype:attempted-user; sid:12645; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|T|00|W|00|a|00|v|00|C|00|h|00|u|00|n|00|k|00|s|00|E|00|d|00|i|00|t|00|o|00|r|00|2|00|.|00|W|00|a|00|v|00|C|00|h|00|u|00|n|00|k|00|s|00|E|00|d|00|i|00|t|00|o|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00.\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00.\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24656; reference:cve,2007-3493; reference:url,nctsoft.com/products/NCTAudioStudio2/; classtype:attempted-user; sid:12018; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbExecuteError Class ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|f|00|f|00|5|00|3|00|1|00|1|00|-|00|5|00|3|00|a|00|4|00|-|00|4|00|3|00|3|00|5|00|-|00|a|00|2|00|d|00|9|00|-|00|b|00|7|00|5|00|e|00|5|00|7|00|3|00|1|00|b|00|b|00|a|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x002\x00f\x00f\x005\x003\x001\x001\x00-\x005\x003\x00a\x004\x00-\x004\x003\x003\x005\x00-\x00a\x002\x00d\x009\x00-\x00b\x007\x005\x00e\x005\x007\x003\x001\x00b\x00b\x00a\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14317; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 56 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|3|00|C|00|5|00|5|00|2|00|4|00|B|00|-|00|9|00|7|00|A|00|E|00|-|00|4|00|9|00|1|00|E|00|-|00|8|00|E|00|B|00|7|00|-|00|2|00|A|00|3|00|A|00|D|00|9|00|6|00|4|00|F|00|9|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x00C\x005\x005\x002\x004\x00B\x00-\x009\x007\x00A\x00E\x00-\x004\x009\x001\x00E\x00-\x008\x00E\x00B\x007\x00-\x002\x00A\x003\x00A\x00D\x009\x006\x004\x00F\x009\x002\x006\x00(}\x00)?(?P=q104)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14199; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|E|00|C|00|1|00|8|00|C|00|E|00|2|00|-|00|D|00|7|00|B|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|8|00|C|00|8|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|A|00|7|00|1|00|7|00|F|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,25584; reference:cve,2007-4470; classtype:attempted-user; sid:12414; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GraceNote CDDB ActiveX function call unicode access"; flow:established,to_client; content:"C|00|l|00|a|00|s|00|s|00|C|00|D|00|D|00|B|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|C|00|d|00|d|00|b|00|S|00|e|00|g|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00l\x00a\x00s\x00s\x00C\x00D\x00D\x00B\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00C\x00d\x00d\x00b\x00S\x00e\x00g\x00m\x00e\x00n\x00t\x00s\x00(?P=q13)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00l\x00a\x00s\x00s\x00C\x00D\x00D\x00B\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00C\x00d\x00d\x00b\x00S\x00e\x00g\x00m\x00e\x00n\x00t\x00s\x00(?P=q14)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,18678; reference:bugtraq,23567; reference:cve,2006-3134; reference:cve,2007-0443; reference:url,www.gracenote.com/corporate/FAQs.html/faqset=update/page=0; reference:url,www.kb.cert.org/vuls/id/701121; classtype:attempted-user; sid:10989; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX function call unicode access"; flow:established,to_client; content:"T|00|L|00|I|00|.|00|S|00|e|00|a|00|r|00|c|00|h|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00S\x00e\x00a\x00r\x00c\x00h\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00S\x00e\x00a\x00r\x00c\x00h\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12268; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MS Agent File Provider ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|0|00|0|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25566; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-051; classtype:attempted-user; sid:12453; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AudioCDRipper ActiveX function call unicode access"; flow:established,to_client; content:"A|00|u|00|d|00|i|00|o|00|_|00|C|00|D|00|_|00|R|00|i|00|p|00|p|00|e|00|r|00|_|00|O|00|C|00|X|00|.|00|c|00|A|00|u|00|d|00|i|00|o|00|C|00|D|00|R|00|i|00|p|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00d\x00i\x00o\x00_\x00C\x00D\x00_\x00R\x00i\x00p\x00p\x00e\x00r\x00_\x00O\x00C\x00X\x00.\x00c\x00A\x00u\x00d\x00i\x00o\x00C\x00D\x00R\x00i\x00p\x00p\x00e\x00r\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00d\x00i\x00o\x00_\x00C\x00D\x00_\x00R\x00i\x00p\x00p\x00e\x00r\x00_\x00O\x00C\x00X\x00.\x00c\x00A\x00u\x00d\x00i\x00o\x00C\x00D\x00R\x00i\x00p\x00p\x00e\x00r\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23900; reference:cve,2007-2603; classtype:attempted-user; sid:11287; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Verisign ConfigCHK ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|8|00|F|00|0|00|4|00|1|00|3|00|9|00|-|00|8|00|D|00|F|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|0|00|E|00|9|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|B|00|0|00|6|00|6|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x008\x00F\x000\x004\x001\x003\x009\x00-\x008\x00D\x00F\x00C\x00-\x001\x001\x00D\x002\x00-\x008\x000\x00E\x009\x00-\x000\x000\x006\x000\x000\x008\x00B\x000\x006\x006\x00E\x00E\x00(}\x00)?\5/si"; reference:bugtraq,22676; reference:cve,2007-1083; classtype:attempted-user; sid:10171; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|C|00|3|00|8|00|7|00|4|00|A|00|A|00|-|00|A|00|B|00|3|00|9|00|-|00|4|00|B|00|5|00|E|00|-|00|A|00|7|00|6|00|8|00|-|00|4|00|5|00|F|00|3|00|C|00|E|00|6|00|C|00|6|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,23954; reference:cve,2007-2658; reference:url,moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html; classtype:attempted-user; sid:11294; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 3 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|E|00|F|00|F|00|8|00|C|00|9|00|7|00|-|00|F|00|2|00|A|00|8|00|-|00|4|00|3|00|9|00|5|00|-|00|9|00|F|00|4|00|7|00|-|00|9|00|A|00|0|00|6|00|F|00|9|00|9|00|8|00|B|00|F|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12398; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|N|00|X|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00N\x00X\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q31)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00N\x00X\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q32)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14049; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|5|00|E|00|1|00|6|00|7|00|B|00|-|00|1|00|5|00|6|00|6|00|-|00|4|00|3|00|1|00|6|00|-|00|B|00|2|00|7|00|F|00|-|00|0|00|D|00|D|00|A|00|B|00|3|00|4|00|8|00|4|00|C|00|F|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x005\x00E\x001\x006\x007\x00B\x00-\x001\x005\x006\x006\x00-\x004\x003\x001\x006\x00-\x00B\x002\x007\x00F\x00-\x000\x00D\x00D\x00A\x00B\x003\x004\x008\x004\x00C\x00F\x007\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13435; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Gatway CWebLaunchCtl ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|3|00|C|00|E|00|A|00|8|00|A|00|4|00|-|00|6|00|0|00|5|00|9|00|-|00|4|00|E|00|0|00|B|00|-|00|A|00|D|00|D|00|D|00|-|00|7|00|3|00|8|00|4|00|8|00|1|00|5|00|3|00|D|00|D|00|5|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27193; reference:cve,2008-0220; reference:url,www.kb.cert.org/vuls/id/735441; classtype:attempted-user; sid:13290; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools ISIS ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|0|00|5|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:bugtraq,24094; reference:cve,2007-2854; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html; classtype:attempted-user; sid:11625; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 28 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|C|00|C|00|1|00|8|00|E|00|3|00|F|00|-|00|4|00|E|00|2|00|B|00|-|00|4|00|D|00|2|00|7|00|-|00|8|00|4|00|0|00|E|00|-|00|C|00|B|00|2|00|F|00|9|00|9|00|A|00|3|00|A|00|0|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00C\x00C\x001\x008\x00E\x003\x00F\x00-\x004\x00E\x002\x00B\x00-\x004\x00D\x002\x007\x00-\x008\x004\x000\x00E\x00-\x00C\x00B\x002\x00F\x009\x009\x00A\x003\x00A\x000\x000\x003\x00(}\x00)?(?P=q42)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14143; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClient Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14381; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX function call unicode access"; flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13445; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft MciWndx ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|8|00|8|00|F|00|1|00|5|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|1|00|6|00|F|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|D|00|9|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; sid:11254; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.ElevMgr ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|0|00|F|00|0|00|0|00|0|00|0|00|-|00|7|00|1|00|E|00|B|00|-|00|4|00|7|00|5|00|7|00|-|00|B|00|9|00|7|00|9|00|-|00|4|00|1|00|8|00|F|00|0|00|3|00|9|00|F|00|C|00|1|00|F|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x000\x00F\x000\x000\x000\x000\x00-\x007\x001\x00E\x00B\x00-\x004\x007\x005\x007\x00-\x00B\x009\x007\x009\x00-\x004\x001\x008\x00F\x000\x003\x009\x00F\x00C\x001\x00F\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14355; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 5 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|B|00|B|00|1|00|7|00|7|00|C|00|C|00|-|00|6|00|9|00|0|00|8|00|-|00|4|00|b|00|5|00|3|00|-|00|9|00|B|00|E|00|E|00|-|00|F|00|1|00|C|00|6|00|9|00|7|00|8|00|1|00|8|00|D|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12402; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|c|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00B\x009\x00C\x005\x004\x002\x002\x00-\x003\x009\x00A\x00A\x00-\x004\x00c\x002\x001\x00-\x00B\x00E\x00E\x00F\x00-\x006\x004\x005\x00E\x004\x002\x00E\x00B\x004\x005\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14279; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 51 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|3|00|9|00|9|00|F|00|5|00|B|00|6|00|-|00|3|00|C|00|6|00|3|00|-|00|4|00|6|00|7|00|4|00|-|00|B|00|0|00|F|00|F|00|-|00|E|00|9|00|4|00|3|00|2|00|8|00|B|00|1|00|9|00|4|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x009\x009\x00F\x005\x00B\x006\x00-\x003\x00C\x006\x003\x00-\x004\x006\x007\x004\x00-\x00B\x000\x00F\x00F\x00-\x00E\x009\x004\x003\x002\x008\x00B\x001\x009\x004\x007\x00D\x00(}\x00)?(?P=q94)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14189; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|9|00|5|00|D|00|B|00|8|00|1|00|4|00|-|00|9|00|4|00|A|00|0|00|-|00|4|00|A|00|D|00|7|00|-|00|8|00|8|00|C|00|3|00|-|00|7|00|D|00|F|00|B|00|E|00|6|00|8|00|8|00|B|00|1|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x009\x005\x00D\x00B\x008\x001\x004\x00-\x009\x004\x00A\x000\x00-\x004\x00A\x00D\x007\x00-\x008\x008\x00C\x003\x00-\x007\x00D\x00F\x00B\x00E\x006\x008\x008\x00B\x001\x002\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14291; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x003\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:14630; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Rich TextBox ActiveX function call unicode access"; flow:established,to_client; content:"R|00|I|00|C|00|H|00|T|00|E|00|X|00|T|00|.|00|R|00|i|00|c|00|h|00|T|00|e|00|x|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)R\x00I\x00C\x00H\x00T\x00E\x00X\x00T\x00.\x00R\x00i\x00c\x00h\x00T\x00e\x00x\x00t\x00C\x00t\x00r\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)R\x00I\x00C\x00H\x00T\x00E\x00X\x00T\x00.\x00R\x00i\x00c\x00h\x00T\x00e\x00x\x00t\x00C\x00t\x00r\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13299; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX function call unicode access"; flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|P|00|u|00|b|00|l|00|i|00|c|00|T|00|o|00|o|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00P\x00u\x00b\x00l\x00i\x00c\x00T\x00o\x00o\x00l\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00P\x00u\x00b\x00l\x00i\x00c\x00T\x00o\x00o\x00l\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:12617; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 9 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|1|00|0|00|E|00|7|00|A|00|D|00|E|00|-|00|7|00|F|00|7|00|5|00|-|00|4|00|0|00|2|00|D|00|-|00|A|00|4|00|A|00|6|00|-|00|B|00|B|00|1|00|A|00|8|00|2|00|3|00|6|00|2|00|F|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x000\x00E\x007\x00A\x00D\x00E\x00-\x007\x00F\x007\x005\x00-\x004\x000\x002\x00D\x00-\x00A\x004\x00A\x006\x00-\x00B\x00B\x001\x00A\x008\x002\x003\x006\x002\x00F\x00C\x00A\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13733; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 37 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|A|00|F|00|0|00|6|00|D|00|D|00|-|00|8|00|E|00|1|00|B|00|-|00|4|00|C|00|A|00|4|00|-|00|8|00|F|00|5|00|5|00|-|00|6|00|B|00|1|00|E|00|9|00|F|00|F|00|3|00|6|00|A|00|C|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x00A\x00F\x000\x006\x00D\x00D\x00-\x008\x00E\x001\x00B\x00-\x004\x00C\x00A\x004\x00-\x008\x00F\x005\x005\x00-\x006\x00B\x001\x00E\x009\x00F\x00F\x003\x006\x00A\x00C\x00B\x00(}\x00)?(?P=q62)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14161; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|7|00|E|00|3|00|A|00|1|00|C|00|3|00|-|00|E|00|A|00|8|00|A|00|-|00|4|00|9|00|7|00|0|00|-|00|A|00|F|00|2|00|9|00|-|00|7|00|F|00|5|00|4|00|6|00|1|00|0|00|B|00|1|00|D|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-028; classtype:attempted-user; sid:11231; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.SysImageUti ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|7|00|6|00|0|00|2|00|A|00|F|00|3|00|-|00|C|00|E|00|F|00|F|00|-|00|4|00|9|00|6|00|2|00|-|00|B|00|E|00|2|00|9|00|-|00|6|00|F|00|B|00|6|00|6|00|B|00|C|00|B|00|9|00|2|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x006\x000\x002\x00A\x00F\x003\x00-\x00C\x00E\x00F\x00F\x00-\x004\x009\x006\x002\x00-\x00B\x00E\x002\x009\x00-\x006\x00F\x00B\x006\x006\x00B\x00C\x00B\x009\x002\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14323; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|T|00|h|00|u|00|m|00|b|00|.|00|L|00|E|00|A|00|D|00|T|00|h|00|u|00|m|00|b|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00.\x00L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00(?P=q44)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00.\x00L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00(?P=q45)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24053; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html; classtype:attempted-user; sid:11657; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|C|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00C\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00a\x00t\x00i\x00o\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00C\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14309; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24153; reference:cve,2007-2946; reference:url,moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html; classtype:attempted-user; sid:11637; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access"; flow:established,to_client; content:"A|00|c|00|r|00|o|00|P|00|D|00|F|00|.|00|P|00|D|00|F|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,21155; reference:cve,2005-0035; reference:cve,2006-6027; reference:cve,2006-6236; reference:url,www.adobe.com/support/security/advisories/apsa06-02.html; classtype:attempted-user; sid:13914; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BlnSetUser Proxy 2 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|5|00|6|00|C|00|C|00|B|00|4|00|2|00|-|00|5|00|9|00|8|00|C|00|-|00|4|00|6|00|2|00|D|00|-|00|9|00|A|00|D|00|8|00|-|00|4|00|F|00|D|00|5|00|B|00|4|00|4|00|9|00|8|00|C|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x005\x006\x00C\x00C\x00B\x004\x002\x00-\x005\x009\x008\x00C\x00-\x004\x006\x002\x00D\x00-\x009\x00A\x00D\x008\x00-\x004\x00F\x00D\x005\x00B\x004\x004\x009\x008\x00C\x005\x00D\x00(}\x00)?\5/si"; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10155; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMStatusbarCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|6|00|4|00|b|00|d|00|f|00|7|00|b|00|-|00|5|00|c|00|6|00|7|00|-|00|4|00|d|00|a|00|f|00|-|00|8|00|5|00|a|00|3|00|-|00|c|00|6|00|c|00|9|00|2|00|7|00|c|00|b|00|3|00|d|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x006\x004\x00b\x00d\x00f\x007\x00b\x00-\x005\x00c\x006\x007\x00-\x004\x00d\x00a\x00f\x00-\x008\x005\x00a\x003\x00-\x00c\x006\x00c\x009\x002\x007\x00c\x00b\x003\x00d\x003\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14303; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MSAuth ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|F|00|E|00|6|00|2|00|2|00|7|00|-|00|1|00|2|00|8|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|0|00|9|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|2|00|5|00|4|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2007-2221; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11225; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX StreamAudio ProxyManager ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|5|00|3|00|F|00|3|00|2|00|0|00|-|00|A|00|B|00|6|00|8|00|-|00|4|00|A|00|0|00|7|00|-|00|9|00|1|00|7|00|D|00|-|00|4|00|F|00|1|00|2|00|D|00|8|00|8|00|8|00|4|00|A|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27247; reference:cve,2008-0248; classtype:attempted-user; sid:13313; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|M|00|G|00|.|00|Y|00|M|00|G|00|M|00|e|00|d|00|i|00|a|00|G|00|r|00|i|00|d|00|A|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00M\x00G\x00.\x00Y\x00M\x00G\x00M\x00e\x00d\x00i\x00a\x00G\x00r\x00i\x00d\x00A\x00x\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00M\x00G\x00.\x00Y\x00M\x00G\x00M\x00e\x00d\x00i\x00a\x00G\x00r\x00i\x00d\x00A\x00x\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,27578; reference:cve,2008-0625; classtype:attempted-user; sid:13433; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Playback Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|P|00|l|00|a|00|y|00|b|00|a|00|c|00|k|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*P\x00l\x00a\x00y\x00b\x00a\x00c\x00k\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*P\x00l\x00a\x00y\x00b\x00a\x00c\x00k\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q12)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14045; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|1|00|0|00|1|00|0|00|e|00|0|00|0|00|-|00|5|00|e|00|8|00|0|00|-|00|1|00|1|00|d|00|8|00|-|00|9|00|e|00|8|00|6|00|-|00|0|00|0|00|0|00|7|00|e|00|9|00|6|00|c|00|6|00|5|00|a|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x000\x001\x000\x00e\x000\x000\x00-\x005\x00e\x008\x000\x00-\x001\x001\x00d\x008\x00-\x009\x00e\x008\x006\x00-\x000\x000\x000\x007\x00e\x009\x006\x00c\x006\x005\x00a\x00e\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10394; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbEnumTags Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|E|00|n|00|u|00|m|00|T|00|a|00|g|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00n\x00u\x00m\x00T\x00a\x00g\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00n\x00u\x00m\x00T\x00a\x00g\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14413; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Move Networks Media Player ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|0|00|5|00|4|00|D|00|0|00|8|00|2|00|-|00|3|00|5|00|5|00|D|00|-|00|4|00|B|00|4|00|7|00|-|00|B|00|7|00|7|00|C|00|-|00|3|00|6|00|A|00|7|00|7|00|8|00|8|00|9|00|9|00|F|00|4|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27438; reference:cve,2008-0477; classtype:attempted-user; sid:13349; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBiz EBanking Integrator ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|4|00|4|00|4|00|5|00|4|00|3|00|0|00|-|00|F|00|7|00|8|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|6|00|F|00|8|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|D|00|8|00|C|00|6|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28700; reference:cve,2008-1725; classtype:attempted-user; sid:13680; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ebCrypt PRNGenerator ActiveX function call unicode access"; flow:established,to_client; content:"E|00|b|00|C|00|r|00|y|00|p|00|t|00|.|00|e|00|b|00|_|00|c|00|_|00|P|00|R|00|N|00|G|00|e|00|n|00|e|00|r|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00P\x00R\x00N\x00G\x00e\x00n\x00e\x00r\x00a\x00t\x00o\x00r\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00P\x00R\x00N\x00G\x00e\x00n\x00e\x00r\x00a\x00t\x00o\x00r\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25787; reference:cve,2007-5110; classtype:attempted-user; sid:12607; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microgaming Download Helper ActiveX function call unicode access"; flow:established,to_client; content:"D|00|L|00|H|00|e|00|l|00|p|00|e|00|r|00|.|00|W|00|e|00|b|00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00L\x00H\x00e\x00l\x00p\x00e\x00r\x00.\x00W\x00e\x00b\x00H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00L\x00H\x00e\x00l\x00p\x00e\x00r\x00.\x00W\x00e\x00b\x00H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q18)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23595; reference:cve,2007-2177; reference:url,www.kb.cert.org/vuls/id/184473; classtype:attempted-user; sid:10994; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|S|00|V|00|i|00|e|00|w|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|.|00|N|00|C|00|S|00|V|00|i|00|e|00|w|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00S\x00V\x00i\x00e\x00w\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00.\x00N\x00C\x00S\x00V\x00i\x00e\x00w\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00S\x00V\x00i\x00e\x00w\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00.\x00N\x00C\x00S\x00V\x00i\x00e\x00w\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25584; reference:cve,2007-4470; classtype:attempted-user; sid:12416; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ebCrypt IncrementalHash ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|C|00|3|00|4|00|E|00|A|00|C|00|7|00|-|00|9|00|9|00|0|00|4|00|-|00|4|00|4|00|1|00|5|00|-|00|B|00|B|00|E|00|4|00|-|00|8|00|2|00|A|00|A|00|8|00|C|00|0|00|C|00|0|00|B|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25789; reference:cve,2007-5111; classtype:attempted-user; sid:12601; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Virtual Rooms ActiveX function call unicode access"; flow:established,to_client; content:"W|00|e|00|b|00|H|00|P|00|V|00|C|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|.|00|H|00|P|00|V|00|i|00|r|00|t|00|u|00|a|00|l|00|R|00|o|00|o|00|m|00|s|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00e\x00b\x00H\x00P\x00V\x00C\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00.\x00H\x00P\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00o\x00o\x00m\x00s\x001\x004\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)W\x00e\x00b\x00H\x00P\x00V\x00C\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00.\x00H\x00P\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00o\x00o\x00m\x00s\x001\x004\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27384; reference:cve,2008-0437; classtype:attempted-user; sid:13355; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX function call unicode access"; flow:established,to_client; content:"M|00|A|00|P|00|R|00|I|00|N|00|T|00|M|00|O|00|D|00|U|00|L|00|E|00|W|00|O|00|R|00|K|00|.|00|M|00|a|00|P|00|r|00|i|00|n|00|t|00|M|00|o|00|d|00|u|00|l|00|e|00|W|00|O|00|R|00|K|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00A\x00P\x00R\x00I\x00N\x00T\x00M\x00O\x00D\x00U\x00L\x00E\x00W\x00O\x00R\x00K\x00.\x00M\x00a\x00P\x00r\x00i\x00n\x00t\x00M\x00o\x00d\x00u\x00l\x00e\x00W\x00O\x00R\x00K\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)M\x00A\x00P\x00R\x00I\x00N\x00T\x00M\x00O\x00D\x00U\x00L\x00E\x00W\x00O\x00R\x00K\x00.\x00M\x00a\x00P\x00r\x00i\x00n\x00t\x00M\x00o\x00d\x00u\x00l\x00e\x00W\x00O\x00R\x00K\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23420; classtype:attempted-user; sid:10479; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 59 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|A|00|1|00|3|00|B|00|D|00|8|00|5|00|-|00|7|00|E|00|C|00|0|00|-|00|4|00|C|00|C|00|8|00|-|00|9|00|9|00|5|00|8|00|-|00|1|00|B|00|B|00|2|00|A|00|A|00|3|00|2|00|F|00|D|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x001\x003\x00B\x00D\x008\x005\x00-\x007\x00E\x00C\x000\x00-\x004\x00C\x00C\x008\x00-\x009\x009\x005\x008\x00-\x001\x00B\x00B\x002\x00A\x00A\x003\x002\x00F\x00D\x000\x00B\x00(}\x00)?(?P=q110)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14205; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|0|00|E|00|4|00|2|00|D|00|5|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:13904; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 15 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|A|00|8|00|9|00|3|00|2|00|F|00|F|00|-|00|E|00|0|00|6|00|4|00|-|00|4|00|3|00|7|00|8|00|-|00|9|00|0|00|1|00|C|00|-|00|6|00|9|00|C|00|B|00|9|00|4|00|E|00|3|00|A|00|2|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x008\x009\x003\x002\x00F\x00F\x00-\x00E\x000\x006\x004\x00-\x004\x003\x007\x008\x00-\x009\x000\x001\x00C\x00-\x006\x009\x00C\x00B\x009\x004\x00E\x003\x00A\x002\x000\x00A\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14117; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 16 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|7|00|0|00|D|00|0|00|6|00|4|00|1|00|-|00|D|00|D|00|E|00|1|00|-|00|4|00|F|00|D|00|7|00|-|00|A|00|4|00|D|00|4|00|-|00|D|00|A|00|1|00|8|00|7|00|B|00|8|00|0|00|7|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x007\x000\x00D\x000\x006\x004\x001\x00-\x00D\x00D\x00E\x001\x00-\x004\x00F\x00D\x007\x00-\x00A\x004\x00D\x004\x00-\x00D\x00A\x001\x008\x007\x00B\x008\x000\x007\x004\x001\x00D\x00(}\x00)?(?P=q17)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13747; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EDraw Office Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|5|00|3|00|A|00|F|00|E|00|B|00|A|00|-|00|D|00|9|00|6|00|8|00|-|00|4|00|3|00|5|00|F|00|-|00|B|00|5|00|5|00|7|00|-|00|1|00|9|00|F|00|F|00|7|00|6|00|3|00|7|00|2|00|B|00|1|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24229; reference:bugtraq,24230; reference:cve,2007-3168; reference:cve,2007-3169; reference:url,moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html; reference:url,moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html; classtype:attempted-user; sid:11661; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows Media Services ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|6|00|4|00|6|00|2|00|0|00|5|00|B|00|-|00|8|00|7|00|8|00|C|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|0|00|7|00|C|00|-|00|0|00|0|00|0|00|0|00|C|00|0|00|4|00|0|00|B|00|C|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x004\x006\x002\x000\x005\x00B\x00-\x008\x007\x008\x00C\x00-\x001\x001\x00D\x001\x00-\x00B\x000\x007\x00C\x00-\x000\x000\x000\x000\x00C\x000\x004\x000\x00B\x00C\x00D\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,30814; reference:cve,2008-5232; classtype:attempted-user; sid:14236; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX function call unicode access"; flow:established,to_client; content:"D|00|X|00|I|00|m|00|a|00|g|00|e|00|T|00|r|00|a|00|n|00|s|00|f|00|o|00|r|00|m|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00R\x00e\x00d\x00i\x00r\x00e\x00c\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00R\x00e\x00d\x00i\x00r\x00e\x00c\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11242; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|B|00|2|00|1|00|7|00|7|00|5|00|2|00|-|00|7|00|1|00|7|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|5|00|B|00|-|00|D|00|4|00|1|00|2|00|0|00|3|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12266; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX function call unicode access"; flow:established,to_client; content:"d|00|w|00|a|00|7|00|.|00|d|00|w|00|a|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)d\x00w\x00a\x007\x00.\x00d\x00w\x00a\x007\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)d\x00w\x00a\x007\x00.\x00d\x00w\x00a\x007\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13265; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX function call unicode access"; flow:established,to_client; content:"y|00|t|00|.|00|y|00|t|00|h|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)y\x00t\x00.\x00y\x00t\x00h\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)y\x00t\x00.\x00y\x00t\x00h\x00e\x00l\x00p\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26656; reference:cve,2007-6228; classtype:attempted-user; sid:12765; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX function call unicode access"; flow:established,to_client; content:"M|00|S|00|M|00|a|00|s|00|k|00|.|00|M|00|a|00|s|00|k|00|E|00|d|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00M\x00a\x00s\x00k\x00.\x00M\x00a\x00s\x00k\x00E\x00d\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00M\x00a\x00s\x00k\x00.\x00M\x00a\x00s\x00k\x00E\x00d\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:14024; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.SysImageUti ActiveX function call unicode access"; flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|S|00|y|00|s|00|I|00|m|00|a|00|g|00|e|00|U|00|t|00|i|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00I\x00m\x00a\x00g\x00e\x00U\x00t\x00i\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00I\x00m\x00a\x00g\x00e\x00U\x00t\x00i\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14325; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EasyMail Objects ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|8|00|A|00|C|00|0|00|D|00|5|00|F|00|-|00|0|00|4|00|2|00|4|00|-|00|1|00|1|00|D|00|5|00|-|00|8|00|2|00|2|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|6|00|B|00|A|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:12383; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Westbyte Internet Download Accelerator ActiveX function call unicode access"; flow:established,to_client; content:"i|00|d|00|a|00|i|00|e|00|h|00|l|00|p|00|.|00|I|00|D|00|A|00|I|00|E|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)i\x00d\x00a\x00i\x00e\x00h\x00l\x00p\x00.\x00I\x00D\x00A\x00I\x00E\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)i\x00d\x00a\x00i\x00e\x00h\x00l\x00p\x00.\x00I\x00D\x00A\x00I\x00E\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24400; reference:cve,2007-3162; classtype:attempted-user; sid:11941; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 2 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|F|00|7|00|2|00|0|00|B|00|9|00|C|00|-|00|2|00|4|00|B|00|1|00|-|00|4|00|9|00|4|00|8|00|-|00|A|00|0|00|3|00|5|00|-|00|8|00|8|00|5|00|3|00|D|00|C|00|0|00|1|00|F|00|1|00|9|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12396; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Lycos File Upload Component ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|3|00|6|00|1|00|1|00|2|00|B|00|F|00|-|00|2|00|F|00|A|00|3|00|-|00|4|00|6|00|9|00|4|00|-|00|8|00|6|00|0|00|3|00|-|00|3|00|B|00|5|00|1|00|0|00|E|00|A|00|3|00|B|00|4|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q20)(?=\s\x00|>\x00)/si"; reference:bugtraq,27411; reference:cve,2008-0443; classtype:attempted-user; sid:13336; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|7|00|9|00|7|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; reference:bugtraq,24193; reference:cve,2007-2980; reference:url,moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html; classtype:attempted-user; sid:11643; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 4 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|8|00|9|00|E|00|F|00|7|00|4|00|A|00|-|00|9|00|5|00|6|00|B|00|-|00|4|00|B|00|D|00|3|00|-|00|A|00|0|00|6|00|6|00|-|00|4|00|F|00|2|00|3|00|D|00|F|00|8|00|9|00|1|00|9|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x009\x00E\x00F\x007\x004\x00A\x00-\x009\x005\x006\x00B\x00-\x004\x00B\x00D\x003\x00-\x00A\x000\x006\x006\x00-\x004\x00F\x002\x003\x00D\x00F\x008\x009\x001\x009\x008\x002\x00(}\x00)?(?P=q68)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14095; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 67 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|C|00|0|00|9|00|5|00|6|00|1|00|6|00|-|00|6|00|0|00|6|00|4|00|-|00|4|00|3|00|c|00|a|00|-|00|9|00|1|00|8|00|0|00|-|00|C|00|F|00|1|00|B|00|6|00|B|00|6|00|A|00|0|00|B|00|E|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00C\x000\x009\x005\x006\x001\x006\x00-\x006\x000\x006\x004\x00-\x004\x003\x00c\x00a\x00-\x009\x001\x008\x000\x00-\x00C\x00F\x001\x00B\x006\x00B\x006\x00A\x000\x00B\x00E\x004\x00(}\x00)?(?P=q128)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14221; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DB Software Laboratory VImpX ActiveX function call unicode access"; flow:established,to_client; content:"V|00|I|00|m|00|p|00|X|00|.|00|V|00|I|00|m|00|p|00|A|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00I\x00m\x00p\x00X\x00.\x00V\x00I\x00m\x00p\x00A\x00X\x00(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00I\x00m\x00p\x00X\x00.\x00V\x00I\x00m\x00p\x00A\x00X\x00(?P=q9)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26064; reference:cve,2007-5445; classtype:attempted-user; sid:12651; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Westbyte Internet Download Accelerator ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|A|00|6|00|4|00|6|00|6|00|7|00|2|00|-|00|9|00|C|00|3|00|A|00|-|00|4|00|C|00|2|00|8|00|-|00|9|00|A|00|7|00|A|00|-|00|1|00|F|00|B|00|0|00|F|00|6|00|3|00|F|00|2|00|8|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,24400; reference:cve,2007-3162; classtype:attempted-user; sid:11939; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Messenger CYFT ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|4|00|F|00|3|00|E|00|A|00|D|00|6|00|-|00|8|00|B|00|8|00|7|00|-|00|4|00|C|00|1|00|A|00|-|00|9|00|7|00|D|00|A|00|-|00|7|00|1|00|C|00|1|00|2|00|6|00|B|00|D|00|A|00|0|00|8|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25727; reference:cve,2007-5017; classtype:attempted-user; sid:12477; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EDraw Office Viewer Component ActiveX function call unicode access"; flow:established,to_client; content:"E|00|D|00|r|00|a|00|w|00|.|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00D\x00r\x00a\x00w\x00.\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)E\x00D\x00r\x00a\x00w\x00.\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25344; reference:bugtraq,25593; reference:bugtraq,25892; reference:cve,2007-3169; reference:cve,2007-4420; reference:cve,2007-4821; classtype:attempted-user; sid:12433; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x000\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:14628; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft MciWndx ActiveX function call unicode access"; flow:established,to_client; content:"M|00|C|00|I|00|W|00|N|00|D|00|X|00|.|00|M|00|C|00|I|00|W|00|n|00|d|00|X|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00C\x00I\x00W\x00N\x00D\x00X\x00.\x00M\x00C\x00I\x00W\x00n\x00d\x00X\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)M\x00C\x00I\x00W\x00N\x00D\x00X\x00.\x00M\x00C\x00I\x00W\x00n\x00d\x00X\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; sid:11256; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappPropObj2 Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|O|00|b|00|j|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x002\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x002\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14373; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 34 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|0|00|A|00|0|00|8|00|D|00|6|00|7|00|-|00|9|00|4|00|6|00|4|00|-|00|4|00|E|00|7|00|3|00|-|00|A|00|5|00|4|00|9|00|-|00|2|00|C|00|C|00|2|00|0|00|8|00|A|00|C|00|6|00|0|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x00A\x000\x008\x00D\x006\x007\x00-\x009\x004\x006\x004\x00-\x004\x00E\x007\x003\x00-\x00A\x005\x004\x009\x00-\x002\x00C\x00C\x002\x000\x008\x00A\x00C\x006\x000\x00D\x003\x00(}\x00)?(?P=q56)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14155; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Provideo Camimage Class ISSCamControl ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|A|00|0|00|F|00|B|00|7|00|5|00|C|00|-|00|C|00|5|00|0|00|E|00|-|00|4|00|7|00|B|00|6|00|-|00|B|00|7|00|E|00|0|00|-|00|3|00|B|00|9|00|C|00|3|00|F|00|A|00|A|00|8|00|A|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,24279; reference:cve,2007-3111; classtype:attempted-user; sid:11678; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|B|00|7|00|C|00|8|00|8|00|6|00|0|00|-|00|D|00|7|00|8|00|F|00|-|00|1|00|0|00|1|00|B|00|-|00|B|00|9|00|B|00|5|00|-|00|0|00|4|00|0|00|2|00|1|00|C|00|0|00|0|00|9|00|4|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13297; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 3 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|7|00|E|00|6|00|7|00|D|00|4|00|A|00|-|00|2|00|3|00|A|00|1|00|-|00|4|00|0|00|D|00|8|00|-|00|A|00|0|00|4|00|9|00|-|00|E|00|E|00|3|00|4|00|C|00|0|00|A|00|F|00|7|00|5|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x00E\x006\x007\x00D\x004\x00A\x00-\x002\x003\x00A\x001\x00-\x004\x000\x00D\x008\x00-\x00A\x000\x004\x009\x00-\x00E\x00E\x003\x004\x00C\x000\x00A\x00F\x007\x005\x006\x00A\x00(}\x00)?(?P=q32)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13721; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 4 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|C|00|C|00|3|00|D|00|8|00|D|00|E|00|-|00|1|00|8|00|B|00|F|00|-|00|4|00|3|00|f|00|f|00|-|00|8|00|C|00|B|00|8|00|-|00|2|00|1|00|B|00|4|00|4|00|2|00|3|00|0|00|0|00|F|00|D|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12400; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CDNetworks Nefficient Download ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|A|00|0|00|7|00|E|00|B|00|D|00|2|00|-|00|E|00|B|00|D|00|D|00|-|00|4|00|B|00|D|00|6|00|-|00|9|00|F|00|8|00|F|00|-|00|1|00|1|00|4|00|B|00|D|00|5|00|1|00|3|00|4|00|9|00|2|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:bugtraq,28666; reference:cve,2008-1885; reference:cve,2008-1886; classtype:attempted-user; sid:13682; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 19 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|C|00|4|00|F|00|9|00|D|00|A|00|0|00|-|00|D|00|B|00|0|00|5|00|-|00|4|00|B|00|B|00|0|00|-|00|8|00|F|00|B|00|2|00|-|00|0|00|3|00|A|00|8|00|0|00|F|00|E|00|9|00|8|00|7|00|7|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00C\x004\x00F\x009\x00D\x00A\x000\x00-\x00D\x00B\x000\x005\x00-\x004\x00B\x00B\x000\x00-\x008\x00F\x00B\x002\x00-\x000\x003\x00A\x008\x000\x00F\x00E\x009\x008\x007\x007\x002\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13753; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappPropObj Class ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|7|00|5|00|9|00|2|00|0|00|1|00|0|00|-|00|a|00|4|00|8|00|8|00|-|00|4|00|5|00|d|00|d|00|-|00|b|00|f|00|6|00|d|00|-|00|0|00|0|00|c|00|c|00|1|00|b|00|6|00|f|00|c|00|0|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x005\x009\x002\x000\x001\x000\x00-\x00a\x004\x008\x008\x00-\x004\x005\x00d\x00d\x00-\x00b\x00f\x006\x00d\x00-\x000\x000\x00c\x00c\x001\x00b\x006\x00f\x00c\x000\x00c\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14339; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 50 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|B|00|9|00|C|00|0|00|C|00|2|00|6|00|-|00|7|00|2|00|8|00|C|00|-|00|4|00|F|00|D|00|A|00|-|00|B|00|8|00|D|00|D|00|-|00|5|00|9|00|8|00|0|00|6|00|E|00|2|00|0|00|E|00|4|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x009\x00C\x000\x00C\x002\x006\x00-\x007\x002\x008\x00C\x00-\x004\x00F\x00D\x00A\x00-\x00B\x008\x00D\x00D\x00-\x005\x009\x008\x000\x006\x00E\x002\x000\x00E\x004\x00D\x009\x00(}\x00)?(?P=q92)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14187; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VideoLAN VLC ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|2|00|3|00|F|00|E|00|9|00|C|00|6|00|-|00|7|00|7|00|8|00|E|00|-|00|4|00|9|00|D|00|4|00|-|00|B|00|5|00|3|00|7|00|-|00|3|00|8|00|F|00|C|00|D|00|E|00|4|00|8|00|8|00|7|00|D|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26675; reference:cve,2007-6262; reference:url,www.videolan.org/sa0703.html; classtype:attempted-user; sid:12804; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 6 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|8|00|0|00|D|00|1|00|9|00|9|00|B|00|-|00|C|00|F|00|D|00|D|00|-|00|4|00|d|00|a|00|4|00|-|00|8|00|C|00|4|00|7|00|-|00|2|00|3|00|1|00|0|00|D|00|5|00|B|00|8|00|D|00|D|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q21)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12404; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX function call unicode access"; flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13437; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RegVmsCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|g|00|V|00|m|00|s|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00g\x00V\x00m\x00s\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00g\x00V\x00m\x00s\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14409; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle JInitiator ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|b|00|9|00|3|00|5|00|4|00|7|00|0|00|-|00|a|00|d|00|4|00|a|00|-|00|1|00|1|00|d|00|5|00|-|00|b|00|6|00|3|00|e|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|a|00|e|00|d|00|b|00|1|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,25473; reference:cve,2007-4467; classtype:attempted-user; sid:12381; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 9 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|3|00|b|00|e|00|e|00|c|00|8|00|b|00|-|00|7|00|8|00|3|00|e|00|-|00|4|00|f|00|8|00|7|00|-|00|a|00|1|00|d|00|7|00|-|00|6|00|1|00|9|00|3|00|6|00|f|00|3|00|8|00|0|00|5|00|c|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x00b\x00e\x00e\x00c\x008\x00b\x00-\x007\x008\x003\x00e\x00-\x004\x00f\x008\x007\x00-\x00a\x001\x00d\x007\x00-\x006\x001\x009\x003\x006\x00f\x003\x008\x000\x005\x00c\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14435; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 21 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|7|00|7|00|3|00|1|00|5|00|A|00|5|00|-|00|C|00|0|00|D|00|B|00|-|00|4|00|E|00|F|00|D|00|-|00|8|00|9|00|C|00|2|00|-|00|1|00|0|00|A|00|A|00|8|00|6|00|C|00|A|00|3|00|9|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x007\x003\x001\x005\x00A\x005\x00-\x00C\x000\x00D\x00B\x00-\x004\x00E\x00F\x00D\x00-\x008\x009\x00C\x002\x00-\x001\x000\x00A\x00A\x008\x006\x00C\x00A\x003\x009\x00A\x005\x00(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14129; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Excel Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|2|00|9|00|5|00|D|00|A|00|-|00|0|00|8|00|8|00|E|00|-|00|4|00|2|00|D|00|1|00|-|00|B|00|E|00|3|00|1|00|-|00|5|00|0|00|2|00|8|00|D|00|7|00|F|00|9|00|B|00|9|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x008\x00A\x002\x009\x005\x00D\x00A\x00-\x000\x008\x008\x00E\x00-\x004\x002\x00D\x001\x00-\x00B\x00E\x003\x001\x00-\x005\x000\x002\x008\x00D\x007\x00F\x009\x00B\x009\x006\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23755; reference:bugtraq,33222; reference:bugtraq,33243; reference:cve,2007-2495; reference:url,moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html; classtype:attempted-user; sid:11182; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 10 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|3|00|4|00|4|00|1|00|C|00|0|00|7|00|-|00|E|00|5|00|7|00|E|00|-|00|4|00|0|00|8|00|6|00|-|00|B|00|9|00|1|00|2|00|-|00|F|00|3|00|2|00|3|00|D|00|7|00|4|00|1|00|A|00|9|00|D|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x004\x004\x001\x00C\x000\x007\x00-\x00E\x005\x007\x00E\x00-\x004\x000\x008\x006\x00-\x00B\x009\x001\x002\x00-\x00F\x003\x002\x003\x00D\x007\x004\x001\x00A\x009\x00D\x008\x00(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13735; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX function call unicode access"; flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|D|00|i|00|s|00|k|00|L|00|i|00|b|00|C|00|r|00|e|00|a|00|t|00|e|00|P|00|a|00|r|00|a|00|m|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00C\x00r\x00e\x00a\x00t\x00e\x00P\x00a\x00r\x00a\x00m\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00C\x00r\x00e\x00a\x00t\x00e\x00P\x00a\x00r\x00a\x00m\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14293; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Norton AntiVirus ActiveX function call unicode access"; flow:established,to_client; content:"S|02|y|00|m|00|a|00|n|00|t|00|e|00|c|00|.|00|N|00|o|00|r|00|t|00|o|00|n|00|.|00|A|00|n|00|t|00|i|00|V|00|i|00|r|00|u|00|s|00|.|00|N|00|A|00|V|00|O|00|p|00|t|00|i|00|o|00|n|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00y\x00m\x00a\x00n\x00t\x00e\x00c\x00.\x00N\x00o\x00r\x00t\x00o\x00n\x00.\x00A\x00n\x00t\x00i\x00V\x00i\x00r\x00u\x00s\x00.\x00N\x00A\x00V\x00O\x00p\x00t\x00i\x00o\x00n\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00y\x00m\x00a\x00n\x00t\x00e\x00c\x00.\x00N\x00o\x00r\x00t\x00o\x00n\x00.\x00A\x00n\x00t\x00i\x00V\x00i\x00r\x00u\x00s\x00.\x00N\x00A\x00V\x00O\x00p\x00t\x00i\x00o\x00n\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23822; reference:cve,2006-3456; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=529; reference:url,www.symantec.com/avcenter/security/Content/2007.05.09.html; classtype:attempted-user; sid:11271; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX OutlookExpress.AddressBook ActiveX function call unicode access"; flow:established,to_client; content:"O|00|u|00|t|00|l|00|o|00|o|00|k|00|E|00|x|00|p|00|r|00|e|00|s|00|s|00|.|00|A|00|d|00|d|00|r|00|e|00|s|00|s|00|B|00|o|00|o|00|k|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00u\x00t\x00l\x00o\x00o\x00k\x00E\x00x\x00p\x00r\x00e\x00s\x00s\x00.\x00A\x00d\x00d\x00r\x00e\x00s\x00s\x00B\x00o\x00o\x00k\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)O\x00u\x00t\x00l\x00o\x00o\x00k\x00E\x00x\x00p\x00r\x00e\x00s\x00s\x00.\x00A\x00d\x00d\x00r\x00e\x00s\x00s\x00B\x00o\x00o\x00k\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; sid:11238; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|5|00|5|00|F|00|3|00|B|00|1|00|6|00|-|00|6|00|D|00|3|00|2|00|-|00|4|00|F|00|E|00|6|00|-|00|8|00|A|00|5|00|6|00|-|00|B|00|B|00|B|00|6|00|9|00|5|00|9|00|8|00|9|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28086; reference:bugtraq,28118; reference:cve,2008-7135; reference:cve,2008-7136; classtype:attempted-user; sid:13596; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX function call unicode access"; flow:established,to_client; content:"R|00|e|00|c|00|o|00|r|00|d|00|S|00|e|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)R\x00e\x00c\x00o\x00r\x00d\x00S\x00e\x00n\x00d\x00(?P=q13)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)R\x00e\x00c\x00o\x00r\x00d\x00S\x00e\x00n\x00d\x00(?P=q14)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27360; reference:cve,2008-0399; classtype:attempted-user; sid:13332; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash.9 ActiveX function call unicode access"; flow:established,to_client; content:"S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|9|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x009\x00(?P=q1)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x009\x00(?P=q2)(\s|>)(\s\x00)*\)\x00/smi"; reference:url,www.securityfocus.com/archive/1/443383/30/150/threaded; classtype:attempted-user; sid:13218; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|C|00|B|00|9|00|D|00|4|00|F|00|5|00|-|00|C|00|4|00|9|00|2|00|-|00|4|00|2|00|A|00|4|00|-|00|9|00|3|00|B|00|1|00|-|00|3|00|F|00|7|00|D|00|6|00|9|00|4|00|6|00|4|00|7|00|0|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00C\x00B\x009\x00D\x004\x00F\x005\x00-\x00C\x004\x009\x002\x00-\x004\x002\x00A\x004\x00-\x009\x003\x00B\x001\x00-\x003\x00F\x007\x00D\x006\x009\x004\x006\x004\x007\x000\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26950; reference:cve,2007-6506; classtype:attempted-user; sid:13220; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 14 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|E|00|6|00|C|00|4|00|7|00|0|00|5|00|-|00|0|00|F|00|1|00|1|00|-|00|4|00|A|00|C|00|B|00|-|00|B|00|D|00|D|00|4|00|-|00|3|00|7|00|F|00|1|00|3|00|8|00|B|00|E|00|F|00|2|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00E\x006\x00C\x004\x007\x000\x005\x00-\x000\x00F\x001\x001\x00-\x004\x00A\x00C\x00B\x00-\x00B\x00D\x00D\x004\x00-\x003\x007\x00F\x001\x003\x008\x00B\x00E\x00F\x002\x008\x009\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14115; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.ElevMgr ActiveX function call unicode access"; flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|E|00|l|00|e|00|v|00|M|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00E\x00l\x00e\x00v\x00M\x00g\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00E\x00l\x00e\x00v\x00M\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14357; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IE Address ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|e|00|0|00|1|00|1|00|5|00|9|00|0|00|-|00|0|00|5|00|3|00|1|00|-|00|4|00|8|00|0|00|4|00|-|00|9|00|c|00|9|00|c|00|-|00|3|00|f|00|e|00|d|00|c|00|7|00|e|00|6|00|e|00|5|00|c|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,download.microsoft.com/download/2/7/0/270e884a-9ba8-47e9-a732-15caee568f76/AdditionalInfo_KB905915.rtf; reference:url,support.microsoft.com/kb/905915; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-054; classtype:attempted-user; sid:11249; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX function call unicode access"; flow:established,to_client; content:"U|00|F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|D|00|.|00|F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|D|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)U\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00.\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)U\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00.\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23853; reference:cve,2007-2563; reference:url,moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html; classtype:attempted-user; sid:11217; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|E|00|9|00|3|00|C|00|5|00|D|00|F|00|-|00|A|00|9|00|9|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|E|00|B|00|D|00|-|00|5|00|2|00|5|00|4|00|A|00|B|00|D|00|D|00|2|00|B|00|6|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26244; reference:cve,2007-5722; classtype:attempted-user; sid:12690; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX function call unicode access"; flow:established,to_client; content:"C|00|a|00|l|00|l|00|e|00|r|00|.|00|C|00|a|00|l|00|l|00|C|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00a\x00l\x00l\x00e\x00r\x00.\x00C\x00a\x00l\x00l\x00C\x00o\x00d\x00e\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00a\x00l\x00l\x00e\x00r\x00.\x00C\x00a\x00l\x00l\x00C\x00o\x00d\x00e\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25050; reference:cve,2007-3302; reference:url,supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp; classtype:attempted-user; sid:12208; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DirectAnimation.DAstatics ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|4|00|2|00|F|00|B|00|4|00|5|00|3|00|-|00|5|00|0|00|0|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|2|00|A|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|8|00|A|00|7|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11244; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ebCrypt IncrementalHash ActiveX function call unicode access"; flow:established,to_client; content:"E|00|b|00|C|00|r|00|y|00|p|00|t|00|.|00|e|00|b|00|_|00|c|00|_|00|I|00|n|00|c|00|r|00|e|00|m|00|e|00|n|00|t|00|a|00|l|00|H|00|a|00|s|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00I\x00n\x00c\x00r\x00e\x00m\x00e\x00n\x00t\x00a\x00l\x00H\x00a\x00s\x00h\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00I\x00n\x00c\x00r\x00e\x00m\x00e\x00n\x00t\x00a\x00l\x00H\x00a\x00s\x00h\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25789; reference:cve,2007-5111; classtype:attempted-user; sid:12603; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|8|00|2|00|3|00|0|00|3|00|B|00|7|00|-|00|A|00|7|00|5|00|4|00|-|00|4|00|D|00|C|00|B|00|-|00|8|00|A|00|F|00|C|00|-|00|8|00|C|00|F|00|9|00|9|00|4|00|3|00|5|00|A|00|A|00|C|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,28172; reference:cve,2008-1307; classtype:attempted-user; sid:13600; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Import 4 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|F|00|5|00|4|00|B|00|F|00|A|00|2|00|-|00|4|00|7|00|4|00|E|00|-|00|4|00|b|00|8|00|2|00|-|00|A|00|5|00|F|00|3|00|-|00|B|00|7|00|9|00|E|00|6|00|F|00|7|00|A|00|8|00|0|00|B|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12968; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Dart ZipLite Compression ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|B|00|A|00|8|00|2|00|6|00|E|00|-|00|F|00|8|00|D|00|8|00|-|00|4|00|D|00|8|00|D|00|-|00|8|00|C|00|0|00|5|00|-|00|1|00|4|00|A|00|B|00|C|00|E|00|0|00|0|00|D|00|4|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24099; reference:url,moaxb.blogspot.com/2007/05/moaxb-22-bonus-dart-ziplite-compression.html; classtype:attempted-user; sid:11659; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office 2000 OUACTR ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|9|00|3|00|6|00|0|00|3|00|3|00|C|00|-|00|4|00|A|00|5|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|8|00|A|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|F|00|2|00|7|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24118; reference:cve,2007-2903; reference:url,moaxb.blogspot.com/2007/05/moaxb-23-microsoft-office-2000.html; classtype:attempted-user; sid:11623; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows MFC Library ActiveX function call unicode access"; flow:established,to_client; content:"H|00|p|00|q|00|U|00|t|00|i|00|l|00|.|00|S|00|y|00|s|00|t|00|e|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00p\x00q\x00U\x00t\x00i\x00l\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)H\x00p\x00q\x00U\x00t\x00i\x00l\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,25697; reference:cve,2007-4916; classtype:attempted-user; sid:12615; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX function call unicode access"; flow:established,to_client; content:"D|00|W|00|U|00|S|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|.|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26280; reference:bugtraq,31235; reference:cve,2007-5660; reference:url,support.installshield.com/kb/view.asp?articleid=Q113602; classtype:attempted-user; sid:12703; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|3|00|E|00|7|00|0|00|C|00|E|00|A|00|-|00|9|00|5|00|6|00|E|00|-|00|4|00|9|00|C|00|C|00|-|00|B|00|4|00|4|00|4|00|-|00|7|00|3|00|A|00|F|00|E|00|5|00|9|00|3|00|A|00|D|00|7|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12738; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|2|00|2|00|B|00|B|00|4|00|3|00|5|00|-|00|9|00|B|00|7|00|F|00|-|00|4|00|B|00|1|00|F|00|-|00|A|00|C|00|B|00|D|00|-|00|C|00|D|00|3|00|6|00|D|00|3|00|4|00|D|00|6|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24882; reference:cve,2007-3785; classtype:attempted-user; sid:12092; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|9|00|8|00|B|00|9|00|4|00|8|00|3|00|-|00|B|00|7|00|A|00|6|00|-|00|4|00|6|00|C|00|1|00|-|00|9|00|F|00|1|00|7|00|-|00|C|00|9|00|B|00|9|00|F|00|0|00|2|00|E|00|A|00|8|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23420; classtype:attempted-user; sid:10477; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbDatabase Class ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|e|00|d|00|d|00|4|00|f|00|c|00|e|00|-|00|e|00|1|00|7|00|8|00|-|00|4|00|7|00|f|00|2|00|-|00|a|00|e|00|0|00|5|00|-|00|c|00|5|00|9|00|3|00|6|00|c|00|8|00|4|00|3|00|7|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00e\x00d\x00d\x004\x00f\x00c\x00e\x00-\x00e\x001\x007\x008\x00-\x004\x007\x00f\x002\x00-\x00a\x00e\x000\x005\x00-\x00c\x005\x009\x003\x006\x00c\x008\x004\x003\x007\x009\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14421; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|7|00|B|00|6|00|2|00|F|00|4|00|E|00|-|00|8|00|2|00|F|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|D|00|4|00|1|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|0|00|A|00|7|00|E|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x007\x00B\x006\x002\x00F\x004\x00E\x00-\x008\x002\x00F\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00D\x004\x001\x00-\x000\x000\x001\x000\x005\x00A\x000\x00A\x007\x00E\x008\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,30826; reference:cve,2007-1682; reference:url,support.softartisans.com/Support-114.aspx; classtype:attempted-user; sid:14232; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|B|00|5|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; reference:bugtraq,24153; reference:cve,2007-2946; reference:url,moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html; classtype:attempted-user; sid:11635; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|7|00|3|00|7|00|6|00|C|00|4|00|D|00|-|00|A|00|7|00|5|00|F|00|-|00|4|00|5|00|3|00|5|00|-|00|8|00|2|00|E|00|B|00|-|00|F|00|F|00|8|00|0|00|E|00|E|00|0|00|2|00|E|00|4|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x003\x007\x006\x00C\x004\x00D\x00-\x00A\x007\x005\x00F\x00-\x004\x005\x003\x005\x00-\x008\x002\x00E\x00B\x00-\x00F\x00F\x008\x000\x00E\x00E\x000\x002\x00E\x004\x000\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14307; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call unicode access"; flow:established,to_client; content:"I|00|n|00|t|00|r|00|a|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|L|00|o|00|g|00|g|00|i|00|n|00|g|00|.|00|L|00|o|00|g|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14285; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 14 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|9|00|C|00|1|00|3|00|C|00|D|00|0|00|-|00|5|00|A|00|9|00|7|00|-|00|4|00|C|00|6|00|B|00|-|00|8|00|A|00|5|00|0|00|-|00|7|00|6|00|3|00|8|00|0|00|2|00|0|00|E|00|2|00|4|00|6|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x009\x00C\x001\x003\x00C\x00D\x000\x00-\x005\x00A\x009\x007\x00-\x004\x00C\x006\x00B\x00-\x008\x00A\x005\x000\x00-\x007\x006\x003\x008\x000\x002\x000\x00E\x002\x004\x006\x002\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13743; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 17 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|9|00|4|00|1|00|8|00|8|00|F|00|6|00|-|00|0|00|F|00|9|00|F|00|-|00|4|00|6|00|B|00|3|00|-|00|8|00|B|00|7|00|8|00|-|00|D|00|7|00|1|00|9|00|0|00|7|00|B|00|D|00|8|00|B|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x004\x001\x008\x008\x00F\x006\x00-\x000\x00F\x009\x00F\x00-\x004\x006\x00B\x003\x00-\x008\x00B\x007\x008\x00-\x00D\x007\x001\x009\x000\x007\x00B\x00D\x008\x00B\x007\x007\x00(}\x00)?(?P=q19)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13749; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|F|00|D|00|7|00|C|00|0|00|A|00|-|00|8|00|5|00|0|00|C|00|-|00|4|00|A|00|5|00|3|00|-|00|9|00|8|00|2|00|1|00|-|00|0|00|B|00|0|00|9|00|1|00|5|00|C|00|9|00|6|00|1|00|3|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,27578; reference:cve,2008-0625; classtype:attempted-user; sid:13431; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 25 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|2|00|7|00|0|00|E|00|6|00|0|00|4|00|-|00|3|00|8|00|7|00|F|00|-|00|4|00|8|00|E|00|D|00|-|00|B|00|B|00|6|00|D|00|-|00|A|00|A|00|5|00|1|00|F|00|5|00|1|00|D|00|6|00|F|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x002\x007\x000\x00E\x006\x000\x004\x00-\x003\x008\x007\x00F\x00-\x004\x008\x00E\x00D\x00-\x00B\x00B\x006\x00D\x00-\x00A\x00A\x005\x001\x00F\x005\x001\x00D\x006\x00F\x00C\x003\x00(}\x00)?(?P=q36)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14137; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 3 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|6|00|E|00|E|00|5|00|7|00|8|00|D|00|-|00|3|00|1|00|4|00|B|00|-|00|4|00|7|00|5|00|5|00|-|00|8|00|3|00|6|00|5|00|-|00|6|00|E|00|1|00|7|00|2|00|2|00|C|00|0|00|0|00|1|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x006\x00E\x00E\x005\x007\x008\x00D\x00-\x003\x001\x004\x00B\x00-\x004\x007\x005\x005\x00-\x008\x003\x006\x005\x00-\x006\x00E\x001\x007\x002\x002\x00C\x000\x000\x001\x00A\x002\x00(}\x00)?(?P=q46)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14093; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 4 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|C|00|6|00|8|00|6|00|5|00|1|00|-|00|1|00|7|00|0|00|0|00|-|00|4|00|7|00|5|00|0|00|-|00|A|00|8|00|1|00|F|00|-|00|A|00|1|00|F|00|5|00|1|00|1|00|0|00|E|00|0|00|F|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x00C\x006\x008\x006\x005\x001\x00-\x001\x007\x000\x000\x00-\x004\x007\x005\x000\x00-\x00A\x008\x001\x00F\x00-\x00A\x001\x00F\x005\x001\x001\x000\x00E\x000\x00F\x006\x006\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13723; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|1|00|E|00|7|00|5|00|3|00|5|00|7|00|-|00|8|00|8|00|1|00|A|00|-|00|4|00|1|00|9|00|E|00|-|00|8|00|3|00|E|00|2|00|-|00|B|00|B|00|1|00|6|00|D|00|B|00|1|00|9|00|7|00|C|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00E\x007\x005\x003\x005\x007\x00-\x008\x008\x001\x00A\x00-\x004\x001\x009\x00E\x00-\x008\x003\x00E\x002\x00-\x00B\x00B\x001\x006\x00D\x00B\x001\x009\x007\x00C\x006\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14267; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbEnumTags Class ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|3|00|3|00|a|00|5|00|d|00|f|00|a|00|-|00|0|00|8|00|4|00|e|00|-|00|4|00|e|00|c|00|f|00|-|00|a|00|f|00|1|00|3|00|-|00|9|00|5|00|b|00|8|00|5|00|2|00|3|00|5|00|8|00|d|00|d|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x003\x003\x00a\x005\x00d\x00f\x00a\x00-\x000\x008\x004\x00e\x00-\x004\x00e\x00c\x00f\x00-\x00a\x00f\x001\x003\x00-\x009\x005\x00b\x008\x005\x002\x003\x005\x008\x00d\x00d\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14411; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|2|00|L|00|i|00|b|00|.|00|V|00|i|00|e|00|2|00|L|00|i|00|n|00|u|00|x|00|V|00|o|00|l|00|u|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14277; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iPIX Media Send Class ActiveX function call unicode access"; flow:established,to_client; content:"i|00|P|00|I|00|X|00|.|00|R|00|i|00|m|00|f|00|i|00|r|00|e|00|4|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)i\x00P\x00I\x00X\x00.\x00R\x00i\x00m\x00f\x00i\x00r\x00e\x004\x00.\x001\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)i\x00P\x00I\x00X\x00.\x00R\x00i\x00m\x00f\x00i\x00r\x00e\x004\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10474; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 31 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|9|00|8|00|6|00|F|00|E|00|4|00|B|00|-|00|A|00|E|00|6|00|7|00|-|00|4|00|3|00|C|00|8|00|-|00|9|00|A|00|8|00|9|00|-|00|E|00|A|00|D|00|D|00|E|00|A|00|3|00|E|00|C|00|6|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x009\x008\x006\x00F\x00E\x004\x00B\x00-\x00A\x00E\x006\x007\x00-\x004\x003\x00C\x008\x00-\x009\x00A\x008\x009\x00-\x00E\x00A\x00D\x00D\x00E\x00A\x003\x00E\x00C\x006\x00B\x006\x00(}\x00)?(?P=q50)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14149; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SkyFex Client ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|8|00|4|00|E|00|0|00|B|00|6|00|4|00|-|00|1|00|E|00|8|00|6|00|-|00|4|00|6|00|4|00|0|00|-|00|8|00|0|00|9|00|4|00|-|00|5|00|B|00|3|00|8|00|C|00|E|00|B|00|2|00|8|00|C|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27059; reference:cve,2007-6605; classtype:attempted-user; sid:13267; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual FoxPro ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|F|00|2|00|8|00|4|00|1|00|8|00|F|00|-|00|F|00|F|00|B|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|6|00|1|00|A|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|A|00|9|00|7|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; classtype:attempted-user; sid:12418; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|B|00|F|00|F|00|E|00|0|00|3|00|3|00|-|00|B|00|F|00|4|00|3|00|-|00|1|00|1|00|D|00|5|00|-|00|A|00|2|00|7|00|1|00|-|00|0|00|0|00|A|00|0|00|2|00|4|00|A|00|5|00|1|00|3|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13259; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 36 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|4|00|7|00|F|00|2|00|9|00|4|00|7|00|-|00|2|00|2|00|9|00|6|00|-|00|4|00|2|00|F|00|E|00|-|00|9|00|2|00|E|00|6|00|-|00|E|00|2|00|E|00|0|00|3|00|5|00|1|00|9|00|B|00|8|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x004\x007\x00F\x002\x009\x004\x007\x00-\x002\x002\x009\x006\x00-\x004\x002\x00F\x00E\x00-\x009\x002\x00E\x006\x00-\x00E\x002\x00E\x000\x003\x005\x001\x009\x00B\x008\x009\x005\x00(}\x00)?(?P=q60)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14159; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DB Software Laboratory VImpX ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|6|00|0|00|0|00|7|00|0|00|7|00|B|00|-|00|9|00|F|00|4|00|7|00|-|00|4|00|1|00|6|00|D|00|-|00|8|00|A|00|B|00|5|00|-|00|6|00|F|00|D|00|9|00|6|00|E|00|A|00|3|00|7|00|9|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; reference:bugtraq,26064; reference:cve,2007-5445; classtype:attempted-user; sid:12649; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|E|00|B|00|0|00|E|00|7|00|4|00|A|00|-|00|2|00|A|00|7|00|6|00|-|00|4|00|A|00|B|00|3|00|-|00|A|00|7|00|F|00|B|00|-|00|9|00|B|00|D|00|8|00|C|00|2|00|9|00|F|00|7|00|F|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,26004; reference:cve,2007-3675; classtype:attempted-user; sid:12638; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SmartCode VNC Manager ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|2|00|F|00|A|00|8|00|3|00|F|00|7|00|-|00|2|00|0|00|E|00|C|00|-|00|4|00|D|00|6|00|2|00|-|00|A|00|C|00|8|00|6|00|-|00|B|00|A|00|B|00|7|00|0|00|5|00|E|00|E|00|1|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; reference:bugtraq,23869; reference:cve,2007-2526; reference:url,moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html; classtype:attempted-user; sid:11219; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VeralSoft HTTP File Upload ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|4|00|F|00|D|00|4|00|8|00|E|00|6|00|-|00|0|00|7|00|1|00|2|00|-|00|4|00|9|00|3|00|7|00|-|00|B|00|0|00|9|00|E|00|-|00|F|00|3|00|D|00|2|00|8|00|5|00|B|00|1|00|1|00|D|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28301; reference:cve,2008-6638; classtype:attempted-user; sid:13662; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX function call unicode access"; flow:established,to_client; content:"T|00|L|00|I|00|.|00|T|00|y|00|p|00|e|00|L|00|i|00|b|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00T\x00y\x00p\x00e\x00L\x00i\x00b\x00I\x00n\x00f\x00o\x00(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00T\x00y\x00p\x00e\x00L\x00i\x00b\x00I\x00n\x00f\x00o\x00(?P=q16)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12276; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Input Method Editor 2 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|A|00|5|00|6|00|F|00|8|00|5|00|1|00|-|00|D|00|3|00|C|00|5|00|-|00|1|00|1|00|D|00|3|00|-|00|8|00|4|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|A|00|0|00|6|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x005\x006\x00F\x008\x005\x001\x00-\x00D\x003\x00C\x005\x00-\x001\x001\x00D\x003\x00-\x008\x004\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x00A\x000\x006\x00E\x005\x00(}\x00)?\5/si"; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10141; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 33 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|7|00|8|00|6|00|6|00|6|00|3|00|6|00|-|00|E|00|D|00|5|00|2|00|-|00|4|00|7|00|2|00|2|00|-|00|8|00|2|00|A|00|9|00|-|00|6|00|B|00|A|00|A|00|B|00|E|00|F|00|D|00|B|00|F|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x007\x008\x006\x006\x006\x003\x006\x00-\x00E\x00D\x005\x002\x00-\x004\x007\x002\x002\x00-\x008\x002\x00A\x009\x00-\x006\x00B\x00A\x00A\x00B\x00E\x00F\x00D\x00B\x00F\x009\x006\x00(}\x00)?(?P=q54)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14153; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappPropObj2 Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|8|00|a|00|7|00|0|00|f|00|0|00|0|00|-|00|a|00|e|00|1|00|4|00|-|00|4|00|6|00|c|00|e|00|-|00|a|00|c|00|1|00|7|00|-|00|d|00|2|00|2|00|9|00|0|00|d|00|5|00|0|00|4|00|b|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x008\x00a\x007\x000\x00f\x000\x000\x00-\x00a\x00e\x001\x004\x00-\x004\x006\x00c\x00e\x00-\x00a\x00c\x001\x007\x00-\x00d\x002\x002\x009\x000\x00d\x005\x000\x004\x00b\x003\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14371; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VixCOM.VixLib ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|8|00|7|00|4|00|E|00|9|00|4|00|9|00|-|00|7|00|1|00|8|00|6|00|-|00|4|00|3|00|0|00|8|00|-|00|A|00|1|00|B|00|9|00|-|00|D|00|5|00|5|00|A|00|9|00|1|00|F|00|6|00|0|00|7|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x007\x004\x00E\x009\x004\x009\x00-\x007\x001\x008\x006\x00-\x004\x003\x000\x008\x00-\x00A\x001\x00B\x009\x00-\x00D\x005\x005\x00A\x009\x001\x00F\x006\x000\x007\x002\x008\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14395; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 68 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|1|00|A|00|2|00|6|00|B|00|B|00|F|00|-|00|2|00|6|00|C|00|0|00|-|00|4|00|0|00|1|00|d|00|-|00|B|00|8|00|2|00|B|00|-|00|5|00|C|00|4|00|C|00|C|00|6|00|7|00|4|00|5|00|7|00|E|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x001\x00A\x002\x006\x00B\x00B\x00F\x00-\x002\x006\x00C\x000\x00-\x004\x000\x001\x00d\x00-\x00B\x008\x002\x00B\x00-\x005\x00C\x004\x00C\x00C\x006\x007\x004\x005\x007\x00E\x000\x00(}\x00)?(?P=q130)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14223; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXLTPI.DLL ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|0|00|1|00|e|00|a|00|5|00|6|00|4|00|-|00|a|00|6|00|f|00|6|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|1|00|1|00|d|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|b|00|6|00|d|00|b|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-069; classtype:attempted-user; sid:12955; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPoll Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|v|00|m|00|a|00|p|00|p|00|P|00|o|00|l|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00v\x00m\x00a\x00p\x00p\x00P\x00o\x00l\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00v\x00m\x00a\x00p\x00p\x00P\x00o\x00l\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14377; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BaoFeng Storm MPS.dll ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|B|00|E|00|5|00|2|00|E|00|1|00|D|00|-|00|E|00|5|00|8|00|6|00|-|00|4|00|7|00|4|00|F|00|-|00|A|00|6|00|E|00|2|00|-|00|1|00|A|00|8|00|5|00|A|00|9|00|B|00|4|00|D|00|9|00|F|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; reference:bugtraq,25601; reference:cve,2007-4816; reference:cve,2009-1612; classtype:attempted-user; sid:12435; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer General Property Page ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|9|00|5|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x00C\x00D\x00A\x009\x005\x003\x00-\x008\x00B\x00E\x004\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x004\x00B\x00-\x000\x000\x002\x000\x00A\x00F\x00B\x00B\x00C\x00C\x00F\x00A\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14043; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 66 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|2|00|7|00|5|00|A|00|8|00|6|00|5|00|-|00|7|00|5|00|4|00|B|00|-|00|4|00|E|00|D|00|F|00|-|00|B|00|8|00|2|00|8|00|-|00|F|00|E|00|D|00|0|00|F|00|8|00|D|00|3|00|4|00|4|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x007\x005\x00A\x008\x006\x005\x00-\x007\x005\x004\x00B\x00-\x004\x00E\x00D\x00F\x00-\x00B\x008\x002\x008\x00-\x00F\x00E\x00D\x000\x00F\x008\x00D\x003\x004\x004\x00F\x00C\x00(}\x00)?(?P=q126)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14219; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX function call unicode access"; flow:established,to_client; content:"k|00|a|00|v|00|w|00|e|00|b|00|s|00|c|00|a|00|n|00|.|00|C|00|K|00|A|00|V|00|W|00|e|00|b|00|S|00|c|00|a|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)k\x00a\x00v\x00w\x00e\x00b\x00s\x00c\x00a\x00n\x00.\x00C\x00K\x00A\x00V\x00W\x00e\x00b\x00S\x00c\x00a\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)k\x00a\x00v\x00w\x00e\x00b\x00s\x00c\x00a\x00n\x00.\x00C\x00K\x00A\x00V\x00W\x00e\x00b\x00S\x00c\x00a\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26004; reference:cve,2007-3675; classtype:attempted-user; sid:12640; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent Control ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|B|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25566; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-051; classtype:attempted-user; sid:12449; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent v1.5 ActiveX function call unicode access"; flow:established,to_client; content:"A|00|g|00|e|00|n|00|t|00|.|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x001\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x001\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2005-1214; reference:cve,2006-3445; reference:cve,2007-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-068; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-020; classtype:attempted-user; sid:10465; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 40 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|9|00|5|00|B|00|5|00|2|00|E|00|9|00|-|00|B|00|8|00|3|00|9|00|-|00|4|00|4|00|1|00|2|00|-|00|9|00|6|00|E|00|B|00|-|00|4|00|D|00|A|00|B|00|A|00|B|00|2|00|E|00|4|00|E|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x009\x005\x00B\x005\x002\x00E\x009\x00-\x00B\x008\x003\x009\x00-\x004\x004\x001\x002\x00-\x009\x006\x00E\x00B\x00-\x004\x00D\x00A\x00B\x00A\x00B\x002\x00E\x004\x00E\x002\x004\x00(}\x00)?(?P=q70)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14167; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Edition 1 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|9|00|D|00|E|00|B|00|9|00|0|00|-|00|8|00|D|00|E|00|3|00|-|00|1|00|1|00|D|00|5|00|-|00|B|00|A|00|E|00|4|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|A|00|A|00|F|00|F|00|9|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25544; reference:cve,2007-0322; reference:cve,2007-4471; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.kb.cert.org/vuls/id/907481; reference:url,www.kb.cert.org/vuls/id/979638; classtype:attempted-user; sid:12394; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BlnSetUser Proxy ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|6|00|1|00|F|00|6|00|5|00|7|00|2|00|-|00|5|00|7|00|8|00|B|00|-|00|4|00|0|00|A|00|7|00|-|00|B|00|7|00|2|00|E|00|-|00|6|00|1|00|B|00|7|00|2|00|6|00|1|00|D|00|9|00|F|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x001\x00F\x006\x005\x007\x002\x00-\x005\x007\x008\x00B\x00-\x004\x000\x00A\x007\x00-\x00B\x007\x002\x00E\x00-\x006\x001\x00B\x007\x002\x006\x001\x00D\x009\x00F\x000\x00C\x00(}\x00)?\5/si"; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10152; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q24)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q25)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24179; reference:cve,2007-2981; reference:url,moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html; classtype:attempted-user; sid:11641; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows Media Services ActiveX function call unicode access"; flow:established,to_client; content:"N|00|S|00|I|00|E|00|M|00|i|00|s|00|c|00|.|00|N|00|S|00|I|00|E|00|M|00|i|00|s|00|c|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00.\x00N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00.\x00N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,30814; reference:cve,2008-5232; classtype:attempted-user; sid:14238; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EDraw Office Viewer ActiveX function call unicode access"; flow:established,to_client; content:"E|00|D|00|r|00|a|00|w|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|.|00|E|00|D|00|r|00|a|00|w|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24229; reference:bugtraq,24230; reference:cve,2007-3168; reference:cve,2007-3169; reference:url,moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html; reference:url,moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html; classtype:attempted-user; sid:11663; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Comodo AntiVirus ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|0|00|9|00|F|00|6|00|7|00|4|00|D|00|-|00|E|00|4|00|D|00|3|00|-|00|4|00|6|00|B|00|D|00|-|00|B|00|9|00|E|00|2|00|-|00|E|00|D|00|7|00|D|00|F|00|D|00|7|00|F|00|D|00|1|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; reference:bugtraq,27424; reference:cve,2008-0470; classtype:attempted-user; sid:13338; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|A|00|1|00|6|00|2|00|2|00|4|00|9|00|-|00|F|00|2|00|C|00|5|00|-|00|4|00|8|00|5|00|1|00|-|00|8|00|A|00|D|00|C|00|-|00|F|00|C|00|5|00|8|00|C|00|B|00|4|00|2|00|4|00|2|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x001\x006\x002\x002\x004\x009\x00-\x00F\x002\x00C\x005\x00-\x004\x008\x005\x001\x00-\x008\x00A\x00D\x00C\x00-\x00F\x00C\x005\x008\x00C\x00B\x004\x002\x004\x002\x004\x003\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13443; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 11 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|0|00|5|00|B|00|F|00|7|00|D|00|7|00|-|00|6|00|B|00|C|00|1|00|-|00|4|00|4|00|5|00|A|00|-|00|B|00|E|00|5|00|3|00|-|00|9|00|4|00|7|00|8|00|A|00|C|00|0|00|9|00|6|00|B|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x000\x005\x00B\x00F\x007\x00D\x007\x00-\x006\x00B\x00C\x001\x00-\x004\x004\x005\x00A\x00-\x00B\x00E\x005\x003\x00-\x009\x004\x007\x008\x00A\x00C\x000\x009\x006\x00B\x00E\x00B\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14109; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 35 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|D|00|6|00|A|00|1|00|A|00|8|00|5|00|-|00|D|00|E|00|5|00|4|00|-|00|4|00|7|00|6|00|8|00|-|00|9|00|9|00|5|00|1|00|-|00|0|00|5|00|3|00|B|00|3|00|B|00|0|00|2|00|B|00|9|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00D\x006\x00A\x001\x00A\x008\x005\x00-\x00D\x00E\x005\x004\x00-\x004\x007\x006\x008\x00-\x009\x009\x005\x001\x00-\x000\x005\x003\x00B\x003\x00B\x000\x002\x00B\x009\x00B\x000\x00(}\x00)?(?P=q58)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14157; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|7|00|8|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q33)(?=\s\x00|>\x00)/si"; reference:bugtraq,24057; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html; classtype:attempted-user; sid:11647; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|9|00|C|00|2|00|8|00|2|00|F|00|E|00|-|00|7|00|D|00|E|00|7|00|-|00|4|00|6|00|9|00|7|00|-|00|9|00|B|00|E|00|2|00|-|00|1|00|C|00|4|00|F|00|4|00|D|00|A|00|8|00|2|00|5|00|B|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25609; reference:cve,2007-4903; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12439; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 41 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|B|00|0|00|5|00|A|00|1|00|7|00|7|00|-|00|1|00|0|00|6|00|9|00|-|00|4|00|A|00|7|00|A|00|-|00|A|00|B|00|0|00|A|00|-|00|5|00|E|00|6|00|E|00|0|00|0|00|D|00|C|00|D|00|B|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00B\x000\x005\x00A\x001\x007\x007\x00-\x001\x000\x006\x009\x00-\x004\x00A\x007\x00A\x00-\x00A\x00B\x000\x00A\x00-\x005\x00E\x006\x00E\x000\x000\x00D\x00C\x00D\x00B\x007\x006\x00(}\x00)?(?P=q72)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14169; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|D|00|1|00|6|00|3|00|6|00|F|00|D|00|-|00|C|00|A|00|4|00|9|00|-|00|4|00|B|00|4|00|E|00|-|00|9|00|0|00|E|00|4|00|-|00|0|00|A|00|2|00|0|00|E|00|0|00|3|00|A|00|1|00|5|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,25723; reference:cve,2007-4983; classtype:attempted-user; sid:12469; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|E|00|3|00|D|00|9|00|D|00|1|00|F|00|-|00|0|00|C|00|6|00|3|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|B|00|F|00|B|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|1|00|8|00|4|00|1|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11831; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX function call unicode access"; flow:established,to_client; content:"X|00|T|00|T|00|B|00|0|00|0|00|0|00|0|00|1|00|.|00|X|00|T|00|T|00|B|00|0|00|0|00|0|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00.\x00X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00.\x00X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28086; reference:bugtraq,28118; reference:cve,2008-7135; reference:cve,2008-7136; classtype:attempted-user; sid:13598; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,4449; reference:cve,2002-0727; reference:cve,2007-1201; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:13468; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX function call unicode access"; flow:established,to_client; content:"J|00|e|00|t|00|A|00|u|00|d|00|i|00|o|00|.|00|I|00|n|00|t|00|e|00|r|00|f|00|a|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)J\x00e\x00t\x00A\x00u\x00d\x00i\x00o\x00.\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)J\x00e\x00t\x00A\x00u\x00d\x00i\x00o\x00.\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25723; reference:cve,2007-4983; classtype:attempted-user; sid:12471; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vantage Linguistics 1 ActiveX clsid unicode access"; flow:established,to_client; content:"c|00|1|00|9|00|0|00|8|00|6|00|8|00|2|00|-|00|7|00|b|00|2|00|c|00|-|00|4|00|a|00|b|00|0|00|-|00|b|00|9|00|8|00|e|00|-|00|1|00|8|00|3|00|6|00|4|00|9|00|a|00|0|00|b|00|f|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12949; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX function call unicode access"; flow:established,to_client; content:"S|00|Q|00|L|00|D|00|M|00|O|00|.|00|S|00|Q|00|L|00|S|00|e|00|r|00|v|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00Q\x00L\x00D\x00M\x00O\x00.\x00S\x00Q\x00L\x00S\x00e\x00r\x00v\x00e\x00r\x00(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00Q\x00L\x00D\x00M\x00O\x00.\x00S\x00Q\x00L\x00S\x00e\x00r\x00v\x00e\x00r\x00(?P=q13)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:12447; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbQuery Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|Q|00|u|00|e|00|r|00|y|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00Q\x00u\x00e\x00r\x00y\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00Q\x00u\x00e\x00r\x00y\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14369; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle ORADC ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|C|00|4|00|C|00|F|00|6|00|3|00|5|00|-|00|D|00|1|00|9|00|6|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|0|00|2|00|7|00|-|00|0|00|2|00|6|00|0|00|8|00|C|00|4|00|B|00|F|00|3|00|B|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00C\x004\x00C\x00F\x006\x003\x005\x00-\x00D\x001\x009\x006\x00-\x001\x001\x00C\x00E\x00-\x009\x000\x002\x007\x00-\x000\x002\x006\x000\x008\x00C\x004\x00B\x00F\x003\x00B\x005\x00(}\x00)?\5/si"; reference:bugtraq,22026; classtype:attempted-user; sid:10016; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientHost Class ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|6|00|6|00|3|00|f|00|7|00|c|00|7|00|-|00|4|00|4|00|f|00|b|00|-|00|4|00|0|00|7|00|5|00|-|00|b|00|c|00|8|00|3|00|-|00|8|00|2|00|9|00|b|00|4|00|7|00|d|00|b|00|7|00|9|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x006\x006\x003\x00f\x007\x00c\x007\x00-\x004\x004\x00f\x00b\x00-\x004\x000\x007\x005\x00-\x00b\x00c\x008\x003\x00-\x008\x002\x009\x00b\x004\x007\x00d\x00b\x007\x009\x003\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14437; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX function call unicode access"; flow:established,to_client; content:"D|00|X|00|I|00|m|00|a|00|g|00|e|00|T|00|r|00|a|00|n|00|s|00|f|00|o|00|r|00|m|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|C|00|h|00|r|00|o|00|m|00|a|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00C\x00h\x00r\x00o\x00m\x00a\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00C\x00h\x00r\x00o\x00m\x00a\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24188; reference:url,www.securityfocus.com/archive/1/443907; classtype:attempted-user; sid:11621; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GlobalLink HanGamePlugin ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|1|00|F|00|5|00|C|00|3|00|5|00|8|00|-|00|6|00|0|00|F|00|B|00|-|00|4|00|A|00|2|00|3|00|-|00|A|00|3|00|1|00|2|00|-|00|D|00|2|00|B|00|5|00|5|00|6|00|6|00|2|00|0|00|F|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13447; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Clever Database Comparer ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|4|00|E|00|0|00|C|00|D|00|6|00|4|00|-|00|A|00|8|00|D|00|E|00|-|00|4|00|B|00|E|00|4|00|-|00|9|00|7|00|0|00|6|00|-|00|4|00|C|00|F|00|C|00|8|00|9|00|D|00|2|00|1|00|2|00|C|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:bugtraq,23969; reference:cve,2007-2648; reference:url,moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html; classtype:attempted-user; sid:11298; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 61 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|7|00|4|00|E|00|1|00|D|00|8|00|8|00|-|00|B|00|A|00|D|00|F|00|-|00|4|00|C|00|8|00|0|00|-|00|8|00|5|00|9|00|4|00|-|00|A|00|5|00|9|00|0|00|3|00|9|00|C|00|9|00|9|00|2|00|E|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x004\x00E\x001\x00D\x008\x008\x00-\x00B\x00A\x00D\x00F\x00-\x004\x00C\x008\x000\x00-\x008\x005\x009\x004\x00-\x00A\x005\x009\x000\x003\x009\x00C\x009\x009\x002\x00E\x00A\x00(}\x00)?(?P=q116)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14209; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ComponentOne FlexGrid ActiveX function call unicode access"; flow:established,to_client; content:"V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|.|00|V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|L|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26467; reference:cve,2007-6028; classtype:attempted-user; sid:12736; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 2 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|A|00|6|00|A|00|9|00|C|00|A|00|-|00|A|00|C|00|5|00|B|00|-|00|4|00|C|00|3|00|9|00|-|00|8|00|F|00|E|00|6|00|-|00|1|00|7|00|E|00|7|00|D|00|0|00|6|00|9|00|0|00|3|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00A\x006\x00A\x009\x00C\x00A\x00-\x00A\x00C\x005\x00B\x00-\x004\x00C\x003\x009\x00-\x008\x00F\x00E\x006\x00-\x001\x007\x00E\x007\x00D\x000\x006\x009\x000\x003\x00A\x009\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14091; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 45 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|8|00|7|00|5|00|E|00|7|00|A|00|5|00|-|00|E|00|E|00|3|00|C|00|-|00|4|00|F|00|E|00|7|00|-|00|A|00|2|00|3|00|E|00|-|00|D|00|E|00|0|00|5|00|2|00|9|00|D|00|1|00|2|00|0|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x008\x007\x005\x00E\x007\x00A\x005\x00-\x00E\x00E\x003\x00C\x00-\x004\x00F\x00E\x007\x00-\x00A\x002\x003\x00E\x00-\x00D\x00E\x000\x005\x002\x009\x00D\x001\x002\x000\x002\x008\x00(}\x00)?(?P=q80)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14177; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX function call unicode access"; flow:established,to_client; content:"D|00|V|00|D|00|_|00|T|00|O|00|O|00|L|00|S|00|.|00|D|00|V|00|D|00|_|00|T|00|O|00|O|00|L|00|S|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00.\x00D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00C\x00t\x00r\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00.\x00D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,22558; reference:cve,2007-0976; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html; classtype:attempted-user; sid:11198; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PowerPoint Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|2|00|B|00|9|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x002\x00B\x009\x002\x00(}\x00)?(?P=q21)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11177; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Shockwave ActiveX Control ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|3|00|3|00|C|00|1|00|5|00|0|00|7|00|-|00|6|00|A|00|7|00|7|00|-|00|4|00|6|00|A|00|4|00|-|00|9|00|4|00|4|00|3|00|-|00|F|00|8|00|7|00|1|00|F|00|9|00|4|00|5|00|D|00|2|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x003\x00C\x001\x005\x000\x007\x00-\x006\x00A\x007\x007\x00-\x004\x006\x00A\x004\x00-\x009\x004\x004\x003\x00-\x00F\x008\x007\x001\x00F\x009\x004\x005\x00D\x002\x005\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,22067; reference:bugtraq,22842; reference:cve,2006-6885; classtype:attempted-user; sid:10215; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 6 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|0|00|1|00|7|00|8|00|2|00|7|00|9|00|-|00|6|00|D|00|6|00|2|00|-|00|4|00|3|00|a|00|f|00|-|00|A|00|3|00|3|00|6|00|-|00|7|00|7|00|9|00|2|00|5|00|6|00|5|00|1|00|A|00|4|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x000\x001\x007\x008\x002\x007\x009\x00-\x006\x00D\x006\x002\x00-\x004\x003\x00a\x00f\x00-\x00A\x003\x003\x006\x00-\x007\x007\x009\x002\x005\x006\x005\x001\x00A\x004\x00C\x006\x00(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13727; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Second Sight Software ActiveGS ActiveX function call unicode access"; flow:established,to_client; content:"A|00|C|00|T|00|I|00|V|00|E|00|G|00|S|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|G|00|S|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00G\x00S\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00G\x00S\x00C\x00t\x00r\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00G\x00S\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00G\x00S\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23554; reference:cve,2007-1690; reference:url,www.kb.cert.org/vuls/id/118737; classtype:attempted-user; sid:10981; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|8|00|B|00|6|00|0|00|1|00|0|00|-|00|1|00|F|00|3|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|0|00|C|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|5|00|D|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,27205; reference:cve,2008-0236; classtype:attempted-user; sid:13304; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX function call unicode access"; flow:established,to_client; content:"i|00|N|00|o|00|t|00|e|00|s|00|6|00|.|00|i|00|N|00|o|00|t|00|e|00|s|00|6|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)i\x00N\x00o\x00t\x00e\x00s\x006\x00.\x00i\x00N\x00o\x00t\x00e\x00s\x006\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)i\x00N\x00o\x00t\x00e\x00s\x006\x00.\x00i\x00N\x00o\x00t\x00e\x00s\x006\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13261; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 15 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|F|00|9|00|3|00|1|00|8|00|9|00|5|00|-|00|A|00|F|00|8|00|2|00|-|00|4|00|6|00|7|00|A|00|-|00|8|00|8|00|1|00|9|00|-|00|9|00|1|00|7|00|C|00|6|00|E|00|E|00|2|00|D|00|1|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00F\x009\x003\x001\x008\x009\x005\x00-\x00A\x00F\x008\x002\x00-\x004\x006\x007\x00A\x00-\x008\x008\x001\x009\x00-\x009\x001\x007\x00C\x006\x00E\x00E\x002\x00D\x001\x00F\x003\x00(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13745; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX function call unicode access"; flow:established,to_client; content:"P|00|P|00|l|00|a|00|y|00|e|00|r|00|.|00|X|00|P|00|P|00|l|00|a|00|y|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00P\x00l\x00a\x00y\x00e\x00r\x00.\x00X\x00P\x00P\x00l\x00a\x00y\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)P\x00P\x00l\x00a\x00y\x00e\x00r\x00.\x00X\x00P\x00P\x00l\x00a\x00y\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26536; reference:cve,2007-6144; classtype:attempted-user; sid:12740; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX function call unicode access"; flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|S|00|R|00|.|00|D|00|i|00|r|00|e|00|c|00|t|00|S|00|R|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11833; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientHosts Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|H|00|o|00|s|00|t|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14289; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|D|00|3|00|9|00|2|00|2|00|3|00|E|00|-|00|A|00|E|00|8|00|E|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|F|00|D|00|3|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|7|00|3|00|0|00|2|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24341; reference:cve,2007-3148; reference:url,www.frsirt.com/english/advisories/2007/2094; classtype:attempted-user; sid:11819; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbExecuteError Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|E|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14319; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX StreamAudio ProxyManager ActiveX function call unicode access"; flow:established,to_client; content:"C|00|c|00|p|00|m|00|.|00|P|00|r|00|o|00|x|00|y|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00c\x00p\x00m\x00.\x00P\x00r\x00o\x00x\x00y\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00c\x00p\x00m\x00.\x00P\x00r\x00o\x00x\x00y\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27247; reference:cve,2008-0248; classtype:attempted-user; sid:13315; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00(?P=q34)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00(?P=q35)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24057; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html; classtype:attempted-user; sid:11649; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BitDefender Online Scanner ActiveX function call unicode access"; flow:established,to_client; content:"B|00|D|00|S|00|C|00|A|00|N|00|O|00|N|00|L|00|I|00|N|00|E|00|.|00|B|00|D|00|S|00|C|00|A|00|N|00|O|00|N|00|L|00|I|00|N|00|E|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00.\x00B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00.\x00B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,26210; reference:cve,2007-5775; classtype:attempted-user; sid:12750; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappPropObj Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14341; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FlexLabel ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|8|00|4|00|B|00|4|00|3|00|2|00|E|00|-|00|E|00|0|00|B|00|D|00|-|00|4|00|A|00|7|00|8|00|-|00|B|00|D|00|7|00|7|00|-|00|6|00|6|00|5|00|5|00|9|00|1|00|D|00|A|00|8|00|4|00|B|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; reference:url,www.securityfocus.com/archive/1/468070; classtype:attempted-user; sid:11281; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|T|00|W|00|M|00|A|00|F|00|i|00|l|00|e|00|2|00|.|00|W|00|M|00|A|00|F|00|i|00|l|00|e|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00.\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00.\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24613; reference:cve,2007-3400; reference:url,nctsoft.com/products/NCTAudioEditor2/; classtype:attempted-user; sid:12022; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VixCOM.VixLib ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|x|00|C|00|O|00|M|00|.|00|V|00|i|00|x|00|L|00|i|00|b|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00x\x00C\x00O\x00M\x00.\x00V\x00i\x00x\x00L\x00i\x00b\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00x\x00C\x00O\x00M\x00.\x00V\x00i\x00x\x00L\x00i\x00b\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14397; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Support Controls SmartIssue ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|9|00|9|00|0|00|2|00|0|00|0|00|-|00|3|00|c|00|9|00|d|00|-|00|4|00|2|00|6|00|d|00|-|00|8|00|1|00|d|00|f|00|-|00|a|00|a|00|b|00|6|00|3|00|6|00|f|00|a|00|4|00|3|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x009\x009\x000\x002\x000\x000\x00-\x003\x00c\x009\x00d\x00-\x004\x002\x006\x00d\x00-\x008\x001\x00d\x00f\x00-\x00a\x00a\x00b\x006\x003\x006\x00f\x00a\x004\x003\x004\x005\x00(}\x00)?\5/si"; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:10391; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMAppSdkUtil Class ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|5|00|6|00|9|00|1|00|3|00|5|00|5|00|-|00|a|00|4|00|f|00|a|00|-|00|4|00|e|00|2|00|b|00|-|00|b|00|4|00|6|00|1|00|-|00|8|00|1|00|4|00|5|00|f|00|9|00|0|00|a|00|a|00|8|00|d|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x005\x006\x009\x001\x003\x005\x005\x00-\x00a\x004\x00f\x00a\x00-\x004\x00e\x002\x00b\x00-\x00b\x004\x006\x001\x00-\x008\x001\x004\x005\x00f\x009\x000\x00a\x00a\x008\x00d\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14425; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 5 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|7|00|4|00|9|00|2|00|2|00|A|00|-|00|8|00|9|00|8|00|3|00|-|00|4|00|E|00|C|00|C|00|-|00|9|00|4|00|F|00|D|00|-|00|7|00|2|00|3|00|5|00|F|00|0|00|6|00|F|00|5|00|3|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x007\x004\x009\x002\x002\x00A\x00-\x008\x009\x008\x003\x00-\x004\x00E\x00C\x00C\x00-\x009\x004\x00F\x00D\x00-\x007\x002\x003\x005\x00F\x000\x006\x00F\x005\x003\x00A\x001\x00(}\x00)?(?P=q36)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13725; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmappsdk.CuiObj ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|u|00|i|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00i\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00i\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14401; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DivX Web Player ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|0|00|5|00|0|00|D|00|7|00|3|00|6|00|-|00|2|00|D|00|2|00|1|00|-|00|4|00|7|00|2|00|3|00|-|00|A|00|D|00|5|00|8|00|-|00|5|00|B|00|5|00|4|00|1|00|F|00|F|00|B|00|6|00|C|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27106; reference:cve,2008-0090; classtype:attempted-user; sid:13274; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|c|00|1|00|0|00|a|00|9|00|8|00|f|00|-|00|d|00|6|00|4|00|f|00|-|00|4|00|3|00|b|00|4|00|-|00|b|00|e|00|d|00|6|00|-|00|d|00|d|00|0|00|e|00|1|00|b|00|f|00|2|00|0|00|7|00|4|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00c\x001\x000\x00a\x009\x008\x00f\x00-\x00d\x006\x004\x00f\x00-\x004\x003\x00b\x004\x00-\x00b\x00e\x00d\x006\x00-\x00d\x00d\x000\x00e\x001\x00b\x00f\x002\x000\x007\x004\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14327; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ourgame GLWorld ActiveX function call unicode access"; flow:established,to_client; content:"H|00|a|00|n|00|G|00|a|00|m|00|e|00|P|00|l|00|u|00|g|00|i|00|n|00|C|00|n|00|1|00|8|00|.|00|H|00|a|00|n|00|G|00|a|00|m|00|e|00|P|00|l|00|u|00|g|00|i|00|n|00|C|00|n|00|1|00|8|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00.\x00H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00.\x00H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13788; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BarcodeWiz ActiveX function call unicode access"; flow:established,to_client; content:"B|00|a|00|r|00|c|00|o|00|d|00|e|00|W|00|i|00|z|00|.|00|B|00|a|00|r|00|c|00|o|00|d|00|e|00|W|00|i|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00.\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00.\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23891; reference:cve,2007-2585; reference:url,moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html; classtype:attempted-user; sid:11262; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Download Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:13604; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 10 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|6|00|a|00|0|00|5|00|5|00|7|00|6|00|-|00|9|00|8|00|7|00|f|00|-|00|4|00|f|00|6|00|d|00|-|00|9|00|1|00|0|00|2|00|-|00|8|00|7|00|9|00|9|00|e|00|3|00|d|00|e|00|d|00|0|00|7|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x006\x00a\x000\x005\x005\x007\x006\x00-\x009\x008\x007\x00f\x00-\x004\x00f\x006\x00d\x00-\x009\x001\x000\x002\x00-\x008\x007\x009\x009\x00e\x003\x00d\x00e\x00d\x000\x007\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14441; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Audio Conferencing ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|a|00|h|00|o|00|o|00|.|00|A|00|u|00|d|00|i|00|o|00|C|00|o|00|n|00|f|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00a\x00h\x00o\x00o\x00.\x00A\x00u\x00d\x00i\x00o\x00C\x00o\x00n\x00f\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00a\x00h\x00o\x00o\x00.\x00A\x00u\x00d\x00i\x00o\x00C\x00o\x00n\x00f\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,23291; reference:cve,2007-1680; reference:url,messenger.yahoo.com/security_update.php?id=031207; classtype:attempted-user; sid:10426; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Import 1 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|D|00|5|00|F|00|B|00|D|00|B|00|8|00|-|00|C|00|5|00|1|00|8|00|-|00|4|00|7|00|F|00|7|00|-|00|B|00|4|00|F|00|1|00|-|00|F|00|1|00|F|00|5|00|8|00|D|00|2|00|1|00|A|00|7|00|1|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12962; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 21 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|1|00|2|00|D|00|A|00|4|00|F|00|2|00|-|00|B|00|D|00|F|00|B|00|-|00|4|00|E|00|A|00|D|00|-|00|B|00|1|00|2|00|F|00|-|00|2|00|7|00|2|00|5|00|2|00|5|00|1|00|F|00|A|00|6|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x001\x002\x00D\x00A\x004\x00F\x002\x00-\x00B\x00D\x00F\x00B\x00-\x004\x00E\x00A\x00D\x00-\x00B\x001\x002\x00F\x00-\x002\x007\x002\x005\x002\x005\x001\x00F\x00A\x006\x00B\x000\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13757; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 11 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|9|00|5|00|8|00|4|00|5|00|D|00|8|00|-|00|8|00|4|00|6|00|3|00|-|00|4|00|6|00|0|00|5|00|-|00|B|00|5|00|F|00|B|00|-|00|4|00|F|00|8|00|C|00|F|00|B|00|A|00|C|00|5|00|C|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x009\x005\x008\x004\x005\x00D\x008\x00-\x008\x004\x006\x003\x00-\x004\x006\x000\x005\x00-\x00B\x005\x00F\x00B\x00-\x004\x00F\x008\x00C\x00F\x00B\x00A\x00C\x005\x00C\x004\x007\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13737; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Pq2vcom.Pq2v ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|6|00|4|00|7|00|D|00|A|00|F|00|6|00|-|00|8|00|5|00|B|00|E|00|-|00|4|00|1|00|7|00|3|00|-|00|8|00|8|00|E|00|7|00|-|00|7|00|4|00|9|00|3|00|2|00|2|00|B|00|2|00|4|00|3|00|B|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x006\x004\x007\x00D\x00A\x00F\x006\x00-\x008\x005\x00B\x00E\x00-\x004\x001\x007\x003\x00-\x008\x008\x00E\x007\x00-\x007\x004\x009\x003\x002\x002\x00B\x002\x004\x003\x00B\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14383; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|2|00|E|00|2|00|6|00|F|00|D|00|9|00|-|00|F|00|4|00|3|00|5|00|-|00|4|00|A|00|2|00|0|00|-|00|A|00|5|00|6|00|1|00|-|00|3|00|5|00|D|00|4|00|B|00|9|00|8|00|7|00|C|00|F|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x002\x00E\x002\x006\x00F\x00D\x009\x00-\x00F\x004\x003\x005\x00-\x004\x00A\x002\x000\x00-\x00A\x005\x006\x001\x00-\x003\x005\x00D\x004\x00B\x009\x008\x007\x00C\x00F\x00D\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30578; reference:cve,2008-3558; reference:url,www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml; classtype:attempted-user; sid:14014; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Rediff Bol Downloader ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|A|00|D|00|A|00|8|00|2|00|C|00|B|00|-|00|B|00|F|00|4|00|8|00|-|00|4|00|D|00|7|00|6|00|-|00|9|00|6|00|1|00|1|00|-|00|7|00|8|00|E|00|2|00|C|00|6|00|F|00|4|00|9|00|F|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x00D\x00A\x008\x002\x00C\x00B\x00-\x00B\x00F\x004\x008\x00-\x004\x00D\x007\x006\x00-\x009\x006\x001\x001\x00-\x007\x008\x00E\x002\x00C\x006\x00F\x004\x009\x00F\x000\x003\x00(}\x00)?\5/si"; reference:bugtraq,21831; reference:cve,2006-6838; classtype:attempted-user; sid:9825; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|A|00|F|00|3|00|7|00|8|00|D|00|E|00|-|00|4|00|5|00|7|00|4|00|-|00|4|00|b|00|b|00|0|00|-|00|A|00|5|00|D|00|F|00|-|00|F|00|7|00|8|00|F|00|C|00|A|00|D|00|2|00|8|00|7|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00A\x00F\x003\x007\x008\x00D\x00E\x00-\x004\x005\x007\x004\x00-\x004\x00b\x00b\x000\x00-\x00A\x005\x00D\x00F\x00-\x00F\x007\x008\x00F\x00C\x00A\x00D\x002\x008\x007\x000\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14275; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX function call unicode access"; flow:established,to_client; content:"C|00|A|00|P|00|I|00|C|00|O|00|M|00|.|00|C|00|e|00|r|00|t|00|i|00|f|00|i|00|c|00|a|00|t|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00A\x00P\x00I\x00C\x00O\x00M\x00.\x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00A\x00P\x00I\x00C\x00O\x00M\x00.\x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2007-0940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-028; classtype:attempted-user; sid:11233; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMEnumStrings Class ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|2|00|d|00|3|00|7|00|a|00|6|00|6|00|-|00|d|00|c|00|2|00|3|00|-|00|4|00|2|00|4|00|4|00|-|00|8|00|a|00|d|00|d|00|-|00|2|00|e|00|8|00|b|00|d|00|c|00|a|00|f|00|a|00|9|00|b|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x00d\x003\x007\x00a\x006\x006\x00-\x00d\x00c\x002\x003\x00-\x004\x002\x004\x004\x00-\x008\x00a\x00d\x00d\x00-\x002\x00e\x008\x00b\x00d\x00c\x00a\x00f\x00a\x009\x00b\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14431; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BrowseDialog ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|9|00|E|00|6|00|E|00|1|00|4|00|8|00|-|00|B|00|A|00|E|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|0|00|3|00|A|00|-|00|E|00|A|00|F|00|C|00|2|00|0|00|5|00|2|00|4|00|1|00|5|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x009\x00E\x006\x00E\x001\x004\x008\x00-\x00B\x00A\x00E\x00C\x00-\x001\x001\x00D\x002\x00-\x00B\x000\x003\x00A\x00-\x00E\x00A\x00F\x00C\x002\x000\x005\x002\x004\x001\x005\x003\x00(}\x00)?\5/si"; reference:bugtraq,22110; reference:cve,2007-0371; classtype:attempted-user; sid:10163; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 20 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|5|00|C|00|D|00|E|00|E|00|1|00|D|00|-|00|D|00|1|00|0|00|9|00|-|00|4|00|9|00|9|00|2|00|-|00|B|00|7|00|2|00|B|00|-|00|6|00|D|00|4|00|F|00|5|00|E|00|2|00|A|00|B|00|7|00|3|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x005\x00C\x00D\x00E\x00E\x001\x00D\x00-\x00D\x001\x000\x009\x00-\x004\x009\x009\x002\x00-\x00B\x007\x002\x00B\x00-\x006\x00D\x004\x00F\x005\x00E\x002\x00A\x00B\x007\x003\x001\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14127; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Instant Support DataManager ActiveX function call unicode access"; flow:established,to_client; content:"H|00|P|00|I|00|S|00|D|00|a|00|t|00|a|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|L|00|i|00|b|00|.|00|D|00|a|00|t|00|a|00|m|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00P\x00I\x00S\x00D\x00a\x00t\x00a\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00m\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)H\x00P\x00I\x00S\x00D\x00a\x00t\x00a\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00m\x00g\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,29530; reference:bugtraq,29531; reference:bugtraq,29532; reference:bugtraq,29533; reference:bugtraq,29534; reference:bugtraq,29535; reference:bugtraq,29536; reference:cve,2007-5605; reference:cve,2007-5606; reference:cve,2007-5607; reference:cve,2007-5608; reference:cve,2007-5610; reference:cve,2008-0952; reference:cve,2008-0953; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13860; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 49 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|A|00|1|00|2|00|5|00|4|00|7|00|F|00|-|00|B|00|7|00|7|00|2|00|-|00|4|00|F|00|2|00|D|00|-|00|B|00|E|00|3|00|6|00|-|00|C|00|E|00|5|00|D|00|0|00|F|00|A|00|8|00|8|00|6|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00A\x001\x002\x005\x004\x007\x00F\x00-\x00B\x007\x007\x002\x00-\x004\x00F\x002\x00D\x00-\x00B\x00E\x003\x006\x00-\x00C\x00E\x005\x00D\x000\x00F\x00A\x008\x008\x006\x00A\x001\x00(}\x00)?(?P=q88)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14185; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HTML Inline Sound Control ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|4|00|2|00|2|00|D|00|A|00|E|00|3|00|-|00|9|00|9|00|2|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|D|00|3|00|-|00|0|00|0|00|4|00|0|00|3|00|3|00|3|00|7|00|3|00|D|00|A|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x004\x002\x002\x00D\x00A\x00E\x003\x00-\x009\x009\x002\x009\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x00D\x003\x00-\x000\x000\x004\x000\x003\x003\x003\x007\x003\x00D\x00A\x008\x00(}\x00)?\5/si"; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10146; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|C|00|0|00|B|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25638; reference:cve,2007-4891; classtype:attempted-user; sid:12460; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMMsg Class ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|d|00|4|00|1|00|6|00|3|00|9|00|a|00|-|00|8|00|8|00|c|00|c|00|-|00|4|00|3|00|d|00|2|00|-|00|b|00|6|00|c|00|b|00|-|00|2|00|c|00|e|00|9|00|8|00|a|00|2|00|4|00|5|00|0|00|9|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00d\x004\x001\x006\x003\x009\x00a\x00-\x008\x008\x00c\x00c\x00-\x004\x003\x00d\x002\x00-\x00b\x006\x00c\x00b\x00-\x002\x00c\x00e\x009\x008\x00a\x002\x004\x005\x000\x009\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14345; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.PopulatedDi ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|1|00|D|00|F|00|0|00|7|00|7|00|9|00|-|00|3|00|6|00|3|00|2|00|-|00|4|00|7|00|9|00|0|00|-|00|B|00|4|00|0|00|F|00|-|00|C|00|4|00|4|00|C|00|F|00|C|00|F|00|5|00|5|00|C|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x00D\x00F\x000\x007\x007\x009\x00-\x003\x006\x003\x002\x00-\x004\x007\x009\x000\x00-\x00B\x004\x000\x00F\x00-\x00C\x004\x004\x00C\x00F\x00C\x00F\x005\x005\x00C\x00B\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14351; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CCRP FolderTreeView ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|9|00|B|00|7|00|F|00|2|00|D|00|6|00|-|00|1|00|6|00|1|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|F|00|3|00|0|00|-|00|1|00|A|00|F|00|8|00|2|00|0|00|5|00|2|00|4|00|1|00|5|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x009\x00B\x007\x00F\x002\x00D\x006\x00-\x001\x006\x001\x000\x00-\x001\x001\x00D\x003\x00-\x00B\x00F\x003\x000\x00-\x001\x00A\x00F\x008\x002\x000\x005\x002\x004\x001\x005\x003\x00(}\x00)?\5/si"; reference:bugtraq,22092; reference:cve,2007-0356; reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm; classtype:attempted-user; sid:10014; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iPIX Image Well ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|f|00|8|00|d|00|9|00|f|00|2|00|a|00|-|00|f|00|6|00|4|00|1|00|-|00|4|00|e|00|f|00|0|00|-|00|b|00|2|00|e|00|c|00|-|00|3|00|b|00|a|00|2|00|b|00|e|00|7|00|c|00|2|00|9|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10467; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 2 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|D|00|A|00|F|00|9|00|C|00|E|00|C|00|-|00|F|00|3|00|E|00|C|00|-|00|4|00|B|00|2|00|2|00|-|00|A|00|B|00|A|00|3|00|-|00|9|00|7|00|2|00|6|00|7|00|1|00|3|00|5|00|6|00|0|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00D\x00A\x00F\x009\x00C\x00E\x00C\x00-\x00F\x003\x00E\x00C\x00-\x004\x00B\x002\x002\x00-\x00A\x00B\x00A\x003\x00-\x009\x007\x002\x006\x007\x001\x003\x005\x006\x000\x00F\x008\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/si"; reference:bugtraq,26967; reference:cve,2007-6513; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13231; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sony ImageStation ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|9|00|A|00|7|00|F|00|5|00|6|00|F|00|-|00|C|00|4|00|0|00|F|00|-|00|4|00|9|00|2|00|8|00|-|00|8|00|C|00|6|00|F|00|-|00|7|00|A|00|7|00|2|00|F|00|2|00|A|00|2|00|5|00|2|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27715; reference:cve,2008-0748; classtype:attempted-user; sid:13548; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX function call unicode access"; flow:established,to_client; content:"B|00|u|00|s|00|i|00|n|00|e|00|s|00|s|00|O|00|b|00|j|00|e|00|c|00|t|00|s|00|.|00|R|00|p|00|t|00|V|00|i|00|e|00|w|00|e|00|r|00|A|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)B\x00u\x00s\x00i\x00n\x00e\x00s\x00s\x00O\x00b\x00j\x00e\x00c\x00t\x00s\x00.\x00R\x00p\x00t\x00V\x00i\x00e\x00w\x00e\x00r\x00A\x00X\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)B\x00u\x00s\x00i\x00n\x00e\x00s\x00s\x00O\x00b\x00j\x00e\x00c\x00t\x00s\x00.\x00R\x00p\x00t\x00V\x00i\x00e\x00w\x00e\x00r\x00A\x00X\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28292; reference:cve,2007-6254; classtype:attempted-user; sid:13660; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 63 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|6|00|A|00|7|00|F|00|F|00|1|00|B|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|C|00|B|00|E|00|-|00|B|00|1|00|9|00|7|00|-|00|E|00|A|00|5|00|5|00|4|00|D|00|6|00|D|00|F|00|4|00|0|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x006\x00A\x007\x00F\x00F\x001\x00B\x00-\x009\x009\x005\x001\x00-\x004\x00C\x00B\x00E\x00-\x00B\x001\x009\x007\x00-\x00E\x00A\x005\x005\x004\x00D\x006\x00D\x00F\x004\x000\x00D\x00(}\x00)?(?P=q120)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14213; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|G|00|2|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; classtype:attempted-user; sid:13610; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iPIX Media Send Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|0|00|4|00|a|00|7|00|0|00|9|00|9|00|-|00|0|00|c|00|2|00|5|00|-|00|4|00|f|00|c|00|7|00|-|00|9|00|7|00|0|00|f|00|-|00|6|00|e|00|c|00|7|00|d|00|7|00|7|00|8|00|8|00|6|00|f|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,23379; reference:cve,2007-1687; reference:url,www.kb.cert.org/vuls/id/958609; classtype:attempted-user; sid:10471; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 29 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|8|00|B|00|B|00|C|00|A|00|7|00|1|00|-|00|E|00|1|00|F|00|6|00|-|00|4|00|7|00|B|00|2|00|-|00|8|00|7|00|D|00|3|00|-|00|3|00|6|00|9|00|E|00|1|00|3|00|4|00|9|00|D|00|9|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00B\x00B\x00C\x00A\x007\x001\x00-\x00E\x001\x00F\x006\x00-\x004\x007\x00B\x002\x00-\x008\x007\x00D\x003\x00-\x003\x006\x009\x00E\x001\x003\x004\x009\x00D\x009\x009\x000\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14145; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX function call unicode access"; flow:established,to_client; content:"W|00|i|00|a|00|L|00|o|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00i\x00a\x00L\x00o\x00g\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)W\x00i\x00a\x00L\x00o\x00g\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14269; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 7 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|5|00|8|00|6|00|9|00|5|00|7|00|5|00|-|00|0|00|7|00|b|00|a|00|-|00|4|00|c|00|7|00|e|00|-|00|8|00|f|00|8|00|f|00|-|00|9|00|8|00|0|00|d|00|f|00|b|00|c|00|1|00|2|00|a|00|b|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x005\x008\x006\x009\x005\x007\x005\x00-\x000\x007\x00b\x00a\x00-\x004\x00c\x007\x00e\x00-\x008\x00f\x008\x00f\x00-\x009\x008\x000\x00d\x00f\x00b\x00c\x001\x002\x00a\x00b\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14415; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Locator ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|L|00|o|00|c|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00L\x00o\x00c\x00a\x00t\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00L\x00o\x00c\x00a\x00t\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14273; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX function call unicode access"; flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|S|00|e|00|t|00|u|00|p|00|P|00|k|00|g|00|P|00|a|00|n|00|e|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00S\x00e\x00t\x00u\x00p\x00P\x00k\x00g\x00P\x00a\x00n\x00e\x00l\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00S\x00e\x00t\x00u\x00p\x00P\x00k\x00g\x00P\x00a\x00n\x00e\x00l\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25295; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-045; classtype:attempted-user; sid:13324; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Najdi.si Toolbar ActiveX function call unicode access"; flow:established,to_client; content:"I|00|n|00|t|00|e|00|r|00|s|00|e|00|e|00|k|00|.|00|I|00|E|00|T|00|o|00|o|00|l|00|b|00|a|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00e\x00r\x00s\x00e\x00e\x00k\x00.\x00I\x00E\x00T\x00o\x00o\x00l\x00b\x00a\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00e\x00r\x00s\x00e\x00e\x00k\x00.\x00I\x00E\x00T\x00o\x00o\x00l\x00b\x00a\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,30922; reference:cve,2008-7103; classtype:attempted-user; sid:14246; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|0|00|0|00|8|00|A|00|5|00|4|00|3|00|-|00|C|00|E|00|F|00|B|00|-|00|4|00|5|00|5|00|9|00|-|00|9|00|1|00|2|00|F|00|-|00|C|00|2|00|7|00|C|00|2|00|B|00|8|00|9|00|F|00|1|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26972; reference:cve,2007-4474; reference:cve,2010-0919; classtype:attempted-user; sid:13263; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|9|00|3|00|B|00|4|00|7|00|F|00|D|00|-|00|9|00|B|00|F|00|6|00|-|00|4|00|D|00|A|00|8|00|-|00|9|00|7|00|F|00|C|00|-|00|9|00|2|00|7|00|0|00|B|00|9|00|D|00|6|00|4|00|A|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13528; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|I|00|S|00|I|00|S|00|.|00|L|00|e|00|a|00|d|00|R|00|a|00|s|00|t|00|e|00|r|00|I|00|S|00|I|00|S|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00.\x00L\x00e\x00a\x00d\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00(?P=q29)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00.\x00L\x00e\x00a\x00d\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00(?P=q30)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24193; reference:cve,2007-2980; reference:url,moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html; classtype:attempted-user; sid:11645; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|B|00|0|00|7|00|B|00|2|00|8|00|-|00|2|00|2|00|8|00|0|00|-|00|4|00|9|00|3|00|7|00|-|00|B|00|0|00|3|00|5|00|-|00|0|00|2|00|9|00|3|00|F|00|B|00|8|00|1|00|2|00|7|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-013; classtype:attempted-user; sid:11240; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 38 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|2|00|6|00|E|00|6|00|1|00|2|00|0|00|-|00|D|00|D|00|3|00|5|00|-|00|4|00|B|00|E|00|A|00|-|00|B|00|1|00|E|00|3|00|-|00|E|00|7|00|5|00|F|00|5|00|4|00|6|00|E|00|B|00|F|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x002\x006\x00E\x006\x001\x002\x000\x00-\x00D\x00D\x003\x005\x00-\x004\x00B\x00E\x00A\x00-\x00B\x001\x00E\x003\x00-\x00E\x007\x005\x00F\x005\x004\x006\x00E\x00B\x00F\x002\x00A\x00(}\x00)?(?P=q64)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14163; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Input Method Editor ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|3|00|1|00|9|00|7|00|A|00|3|00|-|00|B|00|B|00|C|00|3|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|4|00|C|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|A|00|0|00|6|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x003\x001\x009\x007\x00A\x003\x00-\x00B\x00B\x00C\x003\x00-\x001\x001\x00D\x004\x00-\x008\x004\x00C\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x00A\x000\x006\x00E\x005\x00(}\x00)?\5/si"; reference:cve,2006-4697; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10138; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 52 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|C|00|7|00|A|00|2|00|3|00|D|00|9|00|-|00|2|00|A|00|9|00|B|00|-|00|4|00|A|00|E|00|A|00|-|00|B|00|A|00|9|00|1|00|-|00|3|00|0|00|0|00|3|00|A|00|3|00|1|00|6|00|B|00|4|00|4|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00C\x007\x00A\x002\x003\x00D\x009\x00-\x002\x00A\x009\x00B\x00-\x004\x00A\x00E\x00A\x00-\x00B\x00A\x009\x001\x00-\x003\x000\x000\x003\x00A\x003\x001\x006\x00B\x004\x004\x00D\x00(}\x00)?(?P=q96)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14191; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|0|00|0|00|2|00|0|00|2|00|0|00|0|00|-|00|E|00|2|00|6|00|0|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|E|00|6|00|8|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|A|00|3|00|4|00|D|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:12445; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 46 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|6|00|E|00|0|00|7|00|E|00|F|00|9|00|-|00|4|00|E|00|8|00|9|00|-|00|4|00|2|00|8|00|4|00|-|00|9|00|6|00|3|00|2|00|-|00|6|00|D|00|6|00|9|00|0|00|4|00|B|00|7|00|7|00|7|00|3|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x006\x00E\x000\x007\x00E\x00F\x009\x00-\x004\x00E\x008\x009\x00-\x004\x002\x008\x004\x00-\x009\x006\x003\x002\x00-\x006\x00D\x006\x009\x000\x004\x00B\x007\x007\x007\x003\x002\x00(}\x00)?(?P=q82)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14179; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Audio Conferencing ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|B|00|3|00|2|00|3|00|C|00|D|00|9|00|-|00|5|00|0|00|E|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|4|00|6|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|7|00|0|00|0|00|4|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,23291; reference:cve,2007-1680; reference:url,messenger.yahoo.com/security_update.php?id=031207; classtype:attempted-user; sid:10424; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 7 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|4|00|7|00|0|00|D|00|E|00|8|00|0|00|-|00|1|00|6|00|3|00|5|00|-|00|4|00|B|00|5|00|D|00|-|00|9|00|3|00|A|00|3|00|-|00|3|00|7|00|0|00|1|00|C|00|E|00|1|00|4|00|8|00|A|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x004\x007\x000\x00D\x00E\x008\x000\x00-\x001\x006\x003\x005\x00-\x004\x00B\x005\x00D\x00-\x009\x003\x00A\x003\x00-\x003\x007\x000\x001\x00C\x00E\x001\x004\x008\x00A\x007\x009\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13729; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|9|00|4|00|A|00|6|00|3|00|3|00|E|00|-|00|F|00|2|00|6|00|1|00|-|00|2|00|8|00|B|00|D|00|-|00|9|00|6|00|F|00|3|00|-|00|3|00|8|00|0|00|E|00|B|00|E|00|E|00|1|00|B|00|A|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,22558; reference:cve,2007-0976; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html; classtype:attempted-user; sid:10157; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 13 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|E|00|2|00|B|00|9|00|3|00|7|00|E|00|-|00|E|00|A|00|7|00|D|00|-|00|4|00|A|00|8|00|D|00|-|00|8|00|8|00|8|00|C|00|-|00|B|00|6|00|8|00|D|00|7|00|F|00|7|00|2|00|A|00|3|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00E\x002\x00B\x009\x003\x007\x00E\x00-\x00E\x00A\x007\x00D\x00-\x004\x00A\x008\x00D\x00-\x008\x008\x008\x00C\x00-\x00B\x006\x008\x00D\x007\x00F\x007\x002\x00A\x003\x00C\x004\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14113; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX function call unicode access"; flow:established,to_client; content:"I|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00D\x002\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)I\x00D\x002\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2007-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.xsec.org/index.php?module=releases&act=view&type=1&id=9; classtype:attempted-user; sid:11325; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Import 2 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|2|00|1|00|E|00|9|00|1|00|E|00|7|00|-|00|E|00|9|00|1|00|5|00|-|00|4|00|a|00|a|00|6|00|-|00|8|00|9|00|F|00|3|00|-|00|B|00|A|00|6|00|2|00|D|00|1|00|0|00|A|00|4|00|C|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12964; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX function call unicode access"; flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q39)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q40)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24075; reference:cve,2007-2851; reference:url,moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html; classtype:attempted-user; sid:11653; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Import 3 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|3|00|C|00|9|00|C|00|B|00|6|00|7|00|-|00|F|00|4|00|5|00|3|00|-|00|4|00|7|00|9|00|a|00|-|00|9|00|A|00|B|00|0|00|-|00|9|00|4|00|A|00|E|00|6|00|5|00|F|00|2|00|E|00|B|00|2|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12966; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX function call unicode access"; flow:established,to_client; content:"U|00|p|00|d|00|a|00|t|00|e|00|O|00|c|00|x|00|2|00|.|00|K|00|U|00|p|00|d|00|a|00|t|00|e|00|O|00|b|00|j|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)U\x00p\x00d\x00a\x00t\x00e\x00O\x00c\x00x\x002\x00.\x00K\x00U\x00p\x00d\x00a\x00t\x00e\x00O\x00b\x00j\x002\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)U\x00p\x00d\x00a\x00t\x00e\x00O\x00c\x00x\x002\x00.\x00K\x00U\x00p\x00d\x00a\x00t\x00e\x00O\x00b\x00j\x002\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28172; reference:cve,2008-1307; classtype:attempted-user; sid:13602; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX function call unicode access"; flow:established,to_client; content:"M|00|S|00|V|00|D|00|T|00|Q|00|u|00|e|00|r|00|y|00|D|00|e|00|s|00|i|00|g|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00V\x00D\x00T\x00Q\x00u\x00e\x00r\x00y\x00D\x00e\x00s\x00i\x00g\x00n\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00V\x00D\x00T\x00Q\x00u\x00e\x00r\x00y\x00D\x00e\x00s\x00i\x00g\x00n\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14329; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|9|00|3|00|2|00|B|00|A|00|8|00|5|00|-|00|4|00|3|00|7|00|4|00|-|00|1|00|0|00|1|00|B|00|-|00|A|00|5|00|6|00|C|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|3|00|6|00|6|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x003\x002\x00B\x00A\x008\x005\x00-\x004\x003\x007\x004\x00-\x001\x000\x001\x00B\x00-\x00A\x005\x006\x00C\x00-\x000\x000\x00A\x00A\x000\x000\x003\x006\x006\x008\x00D\x00C\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; reference:bugtraq,30674; reference:cve,2008-3704; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:14022; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SwiftView ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|D|00|D|00|6|00|2|00|E|00|5|00|8|00|-|00|5|00|F|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|F|00|B|00|7|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|4|00|F|00|1|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; reference:bugtraq,27527; reference:cve,2007-5602; reference:url,www.swiftview.com/tech/security/bulletins/SBSV-07-10-02.htm; classtype:attempted-user; sid:13424; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SmartCode VNC Manager ActiveX function call unicode access"; flow:established,to_client; content:"S|00|m|00|a|00|r|00|t|00|C|00|o|00|d|00|e|00|.|00|V|00|i|00|e|00|w|00|e|00|r|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00m\x00a\x00r\x00t\x00C\x00o\x00d\x00e\x00.\x00V\x00i\x00e\x00w\x00e\x00r\x00X\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00m\x00a\x00r\x00t\x00C\x00o\x00d\x00e\x00.\x00V\x00i\x00e\x00w\x00e\x00r\x00X\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23869; reference:cve,2007-2526; reference:url,moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html; classtype:attempted-user; sid:11221; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Eyeball MessengerSDK ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|A|00|0|00|6|00|E|00|E|00|7|00|1|00|-|00|7|00|3|00|4|00|8|00|-|00|4|00|4|00|C|00|4|00|-|00|9|00|5|00|4|00|0|00|-|00|A|00|A|00|F|00|0|00|E|00|6|00|B|00|D|00|1|00|5|00|1|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x000\x006\x00E\x00E\x007\x001\x00-\x007\x003\x004\x008\x00-\x004\x004\x00C\x004\x00-\x009\x005\x004\x000\x00-\x00A\x00A\x00F\x000\x00E\x006\x00B\x00D\x001\x005\x001\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,30424; reference:cve,2008-3430; classtype:attempted-user; sid:14248; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|D|00|3|00|1|00|5|00|3|00|0|00|9|00|-|00|E|00|A|00|0|00|0|00|-|00|4|00|5|00|A|00|E|00|-|00|9|00|E|00|8|00|E|00|-|00|B|00|6|00|A|00|6|00|1|00|C|00|E|00|6|00|B|00|9|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; reference:bugtraq,27360; reference:cve,2008-0399; classtype:attempted-user; sid:13330; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|3|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; reference:bugtraq,24179; reference:cve,2007-2981; reference:url,moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html; classtype:attempted-user; sid:11639; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Intuit QuickBooks Online Import 5 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|2|00|3|00|A|00|A|00|6|00|2|00|2|00|-|00|D|00|7|00|2|00|B|00|-|00|4|00|2|00|d|00|4|00|-|00|9|00|0|00|5|00|D|00|-|00|F|00|D|00|D|00|9|00|F|00|C|00|9|00|6|00|0|00|0|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; reference:url,sc.accounting.quickbooks.com/Update/index.cfm?id=32; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12970; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|W|00|c|00|V|00|w|00|r|00|.|00|W|00|c|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00W\x00c\x00V\x00w\x00r\x00.\x00W\x00c\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00W\x00c\x00V\x00w\x00r\x00.\x00W\x00c\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24341; reference:cve,2007-3148; reference:url,www.frsirt.com/english/advisories/2007/2094; classtype:attempted-user; sid:11821; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Eyeball MessengerSDK ActiveX function call unicode access"; flow:established,to_client; content:"E|00|y|00|e|00|b|00|a|00|l|00|l|00|S|00|d|00|k|00|.|00|V|00|i|00|d|00|e|00|o|00|W|00|i|00|n|00|d|00|o|00|w|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00y\x00e\x00b\x00a\x00l\x00l\x00S\x00d\x00k\x00.\x00V\x00i\x00d\x00e\x00o\x00W\x00i\x00n\x00d\x00o\x00w\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00y\x00e\x00b\x00a\x00l\x00l\x00S\x00d\x00k\x00.\x00V\x00i\x00d\x00e\x00o\x00W\x00i\x00n\x00d\x00o\x00w\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,30424; reference:cve,2008-3430; classtype:attempted-user; sid:14250; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientVMs Class ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|1|00|5|00|c|00|b|00|0|00|5|00|d|00|-|00|6|00|9|00|1|00|f|00|-|00|4|00|2|00|0|00|8|00|-|00|a|00|f|00|1|00|4|00|-|00|0|00|f|00|a|00|2|00|f|00|b|00|b|00|2|00|c|00|a|00|d|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x001\x005\x00c\x00b\x000\x005\x00d\x00-\x006\x009\x001\x00f\x00-\x004\x002\x000\x008\x00-\x00a\x00f\x001\x004\x00-\x000\x00f\x00a\x002\x00f\x00b\x00b\x002\x00c\x00a\x00d\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14335; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|2|00|0|00|D|00|9|00|D|00|6|00|A|00|-|00|0|00|D|00|E|00|C|00|-|00|4|00|d|00|7|00|6|00|-|00|9|00|B|00|E|00|F|00|-|00|1|00|7|00|5|00|8|00|9|00|6|00|0|00|0|00|6|00|B|00|4|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,28292; reference:cve,2007-6254; classtype:attempted-user; sid:13658; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 48 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|9|00|7|00|E|00|E|00|4|00|1|00|C|00|-|00|C|00|E|00|0|00|6|00|-|00|4|00|D|00|D|00|4|00|-|00|8|00|3|00|0|00|8|00|-|00|6|00|C|00|7|00|3|00|0|00|7|00|1|00|3|00|C|00|6|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x009\x007\x00E\x00E\x004\x001\x00C\x00-\x00C\x00E\x000\x006\x00-\x004\x00D\x00D\x004\x00-\x008\x003\x000\x008\x00-\x006\x00C\x007\x003\x000\x007\x001\x003\x00C\x006\x004\x006\x00(}\x00)?(?P=q86)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14183; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Clever Database Comparer ActiveX function call unicode access"; flow:established,to_client; content:"c|00|o|00|m|00|p|00|a|00|r|00|e|00|r|00|a|00|x|00|.|00|I|00|B|00|D|00|B|00|E|00|x|00|t|00|r|00|a|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)c\x00o\x00m\x00p\x00a\x00r\x00e\x00r\x00a\x00x\x00.\x00I\x00B\x00D\x00B\x00E\x00x\x00t\x00r\x00a\x00c\x00t\x00(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)c\x00o\x00m\x00p\x00a\x00r\x00e\x00r\x00a\x00x\x00.\x00I\x00B\x00D\x00B\x00E\x00x\x00t\x00r\x00a\x00c\x00t\x00(?P=q12)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23969; reference:cve,2007-2648; reference:url,moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html; classtype:attempted-user; sid:11300; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 3 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|c|00|d|00|e|00|d|00|a|00|3|00|a|00|-|00|1|00|1|00|4|00|b|00|-|00|4|00|5|00|5|00|e|00|-|00|8|00|c|00|8|00|b|00|-|00|2|00|2|00|4|00|d|00|b|00|4|00|b|00|f|00|2|00|9|00|c|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00c\x00d\x00e\x00d\x00a\x003\x00a\x00-\x001\x001\x004\x00b\x00-\x004\x005\x005\x00e\x00-\x008\x00c\x008\x00b\x00-\x002\x002\x004\x00d\x00b\x004\x00b\x00f\x002\x009\x00c\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14343; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Pq2vcom.Pq2v ActiveX function call unicode access"; flow:established,to_client; content:"P|00|q|00|2|00|v|00|c|00|o|00|m|00|.|00|P|00|q|00|2|00|v|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00q\x002\x00v\x00c\x00o\x00m\x00.\x00P\x00q\x002\x00v\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)P\x00q\x002\x00v\x00c\x00o\x00m\x00.\x00P\x00q\x002\x00v\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14385; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RemoteDirDlg Class ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|c|00|e|00|4|00|1|00|2|00|d|00|9|00|-|00|4|00|5|00|2|00|0|00|-|00|4|00|e|00|5|00|a|00|-|00|8|00|9|00|3|00|d|00|-|00|8|00|8|00|b|00|3|00|a|00|8|00|f|00|2|00|9|00|c|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00c\x00e\x004\x001\x002\x00d\x009\x00-\x004\x005\x002\x000\x00-\x004\x00e\x005\x00a\x00-\x008\x009\x003\x00d\x00-\x008\x008\x00b\x003\x00a\x008\x00f\x002\x009\x00c\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14295; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DivX Web Player ActiveX function call unicode access"; flow:established,to_client; content:"n|00|p|00|U|00|p|00|l|00|o|00|a|00|d|00|.|00|D|00|i|00|v|00|X|00|C|00|o|00|n|00|t|00|e|00|n|00|t|00|U|00|p|00|l|00|o|00|a|00|d|00|P|00|l|00|u|00|g|00|i|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)n\x00p\x00U\x00p\x00l\x00o\x00a\x00d\x00.\x00D\x00i\x00v\x00X\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00U\x00p\x00l\x00o\x00a\x00d\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)n\x00p\x00U\x00p\x00l\x00o\x00a\x00d\x00.\x00D\x00i\x00v\x00X\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00U\x00p\x00l\x00o\x00a\x00d\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27106; reference:cve,2008-0090; classtype:attempted-user; sid:13276; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BarcodeWiz ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|D|00|3|00|B|00|0|00|9|00|F|00|1|00|-|00|2|00|6|00|F|00|B|00|-|00|4|00|1|00|C|00|D|00|-|00|B|00|3|00|F|00|2|00|-|00|E|00|1|00|7|00|8|00|D|00|F|00|D|00|3|00|B|00|C|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23891; reference:cve,2007-2585; reference:url,moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html; classtype:attempted-user; sid:11260; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 19 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|B|00|A|00|F|00|C|00|7|00|B|00|3|00|-|00|F|00|3|00|1|00|8|00|-|00|4|00|B|00|D|00|4|00|-|00|B|00|A|00|B|00|B|00|-|00|6|00|E|00|4|00|0|00|3|00|2|00|7|00|2|00|6|00|1|00|5|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00B\x00A\x00F\x00C\x007\x00B\x003\x00-\x00F\x003\x001\x008\x00-\x004\x00B\x00D\x004\x00-\x00B\x00A\x00B\x00B\x00-\x006\x00E\x004\x000\x003\x002\x007\x002\x006\x001\x005\x00A\x00(}\x00)?(?P=q22)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14125; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 12 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|B|00|0|00|4|00|9|00|B|00|1|00|1|00|-|00|6|00|0|00|7|00|B|00|-|00|4|00|6|00|C|00|8|00|-|00|B|00|B|00|F|00|7|00|-|00|F|00|4|00|D|00|6|00|A|00|F|00|3|00|0|00|1|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00B\x000\x004\x009\x00B\x001\x001\x00-\x006\x000\x007\x00B\x00-\x004\x006\x00C\x008\x00-\x00B\x00B\x00F\x007\x00-\x00F\x004\x00D\x006\x00A\x00F\x003\x000\x001\x000\x004\x006\x00(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13739; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vantage Linguistics 2 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|f|00|6|00|a|00|7|00|2|00|b|00|9|00|-|00|d|00|3|00|c|00|5|00|-|00|4|00|f|00|c|00|e|00|-|00|8|00|9|00|a|00|3|00|-|00|4|00|e|00|3|00|d|00|1|00|9|00|c|00|3|00|5|00|8|00|0|00|a|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12951; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.PopulatedDi ActiveX function call unicode access"; flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|P|00|o|00|p|00|u|00|l|00|a|00|t|00|e|00|d|00|D|00|i|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00P\x00o\x00p\x00u\x00l\x00a\x00t\x00e\x00d\x00D\x00i\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00P\x00o\x00p\x00u\x00l\x00a\x00t\x00e\x00d\x00D\x00i\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14353; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX function call unicode access"; flow:established,to_client; content:"A|00|c|00|t|00|i|00|v|00|e|00|B|00|a|00|r|00|3|00|L|00|i|00|b|00|r|00|a|00|r|00|y|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|B|00|a|00|r|00|3|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00L\x00i\x00b\x00r\x00a\x00r\x00y\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00L\x00i\x00b\x00r\x00a\x00r\x00y\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24959; reference:cve,2007-3883; classtype:attempted-user; sid:12086; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMEnumStrings Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|E|00|n|00|u|00|m|00|S|00|t|00|r|00|i|00|n|00|g|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00E\x00n\x00u\x00m\x00S\x00t\x00r\x00i\x00n\x00g\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00E\x00n\x00u\x00m\x00S\x00t\x00r\x00i\x00n\x00g\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14433; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|5|00|D|00|4|00|1|00|9|00|D|00|6|00|-|00|A|00|8|00|4|00|6|00|-|00|4|00|5|00|1|00|4|00|-|00|9|00|F|00|A|00|D|00|-|00|9|00|7|00|E|00|8|00|2|00|6|00|C|00|8|00|4|00|8|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,28882; reference:cve,2007-6255; classtype:attempted-user; sid:13759; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX TEC-IT TBarCode ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|8|00|5|00|4|00|1|00|7|00|6|00|5|00|-|00|F|00|6|00|D|00|2|00|-|00|4|00|E|00|E|00|1|00|-|00|A|00|E|00|A|00|A|00|-|00|4|00|0|00|1|00|6|00|B|00|E|00|1|00|D|00|9|00|8|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24440; reference:cve,2007-3233; classtype:attempted-user; sid:11840; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RControl ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|A|00|5|00|1|00|5|00|F|00|C|00|D|00|-|00|C|00|0|00|E|00|9|00|-|00|4|00|F|00|3|00|8|00|-|00|9|00|C|00|7|00|7|00|-|00|2|00|9|00|4|00|9|00|5|00|1|00|4|00|3|00|6|00|6|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,23914; reference:cve,2007-2623; reference:url,moaxb.blogspot.com/2007/05/moaxb-10-rcontroldll-v-1210-denial-of.html; classtype:attempted-user; sid:11275; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PowerPoint Viewer ActiveX function call unicode access"; flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q22)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00A\x00.\x00O\x00A\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q23)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,23733; reference:bugtraq,33238; reference:bugtraq,33243; reference:cve,2007-2494; reference:url,moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html; classtype:attempted-user; sid:11179; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 53 ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|6|00|1|00|2|00|7|00|E|00|3|00|B|00|-|00|8|00|D|00|1|00|7|00|-|00|4|00|B|00|E|00|A|00|-|00|A|00|0|00|3|00|9|00|-|00|8|00|B|00|B|00|9|00|D|00|0|00|D|00|1|00|0|00|5|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x001\x002\x007\x00E\x003\x00B\x00-\x008\x00D\x001\x007\x00-\x004\x00B\x00E\x00A\x00-\x00A\x000\x003\x009\x00-\x008\x00B\x00B\x009\x00D\x000\x00D\x001\x000\x005\x00A\x002\x00(}\x00)?(?P=q98)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14193; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,28157; reference:cve,2008-1309; classtype:attempted-user; sid:13608; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|A|00|6|00|1|00|6|00|0|00|6|00|B|00|-|00|2|00|5|00|8|00|C|00|-|00|4|00|0|00|2|00|1|00|-|00|A|00|D|00|2|00|7|00|-|00|E|00|0|00|7|00|A|00|3|00|F|00|3|00|B|00|9|00|1|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23325; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; reference:url,www.kaspersky.com/technews?id=203038694; classtype:attempted-user; sid:10428; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Second Sight Software ActiveMod ActiveX function call unicode access"; flow:established,to_client; content:"A|00|C|00|T|00|I|00|V|00|E|00|M|00|O|00|D|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|M|00|o|00|d|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00M\x00O\x00D\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00M\x00o\x00d\x00C\x00t\x00r\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00M\x00O\x00D\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00M\x00o\x00d\x00C\x00t\x00r\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23554; reference:cve,2007-1691; reference:url,www.kb.cert.org/vuls/id/962305; classtype:attempted-user; sid:10985; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX function call unicode access"; flow:established,to_client; content:"A|00|D|00|V|00|D|00|A|00|U|00|D|00|I|00|O|00|.|00|A|00|D|00|V|00|D|00|A|00|U|00|D|00|I|00|O|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00.\x00A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00.\x00A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23833; reference:cve,2007-2576; reference:url,moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html; classtype:attempted-user; sid:11209; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RemoteBrowseDlg Class ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|b|00|6|00|8|00|1|00|4|00|1|00|7|00|-|00|a|00|b|00|e|00|9|00|-|00|4|00|6|00|c|00|a|00|-|00|9|00|6|00|1|00|5|00|-|00|8|00|b|00|9|00|6|00|e|00|c|00|7|00|2|00|4|00|d|00|0|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00b\x006\x008\x001\x004\x001\x007\x00-\x00a\x00b\x00e\x009\x00-\x004\x006\x00c\x00a\x00-\x009\x006\x001\x005\x00-\x008\x00b\x009\x006\x00e\x00c\x007\x002\x004\x00d\x000\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14403; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,28809; reference:cve,2008-1786; classtype:attempted-user; sid:13700; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX function call unicode access"; flow:established,to_client; content:"V|00|A|00|P|00|g|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|V|00|a|00|P|00|g|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00A\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00A\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28010; reference:cve,2008-4771; classtype:attempted-user; sid:13530; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 58 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|8|00|5|00|C|00|A|00|E|00|3|00|C|00|-|00|F|00|1|00|6|00|A|00|-|00|4|00|A|00|8|00|4|00|-|00|9|00|A|00|8|00|0|00|-|00|F|00|F|00|2|00|3|00|D|00|6|00|E|00|5|00|6|00|D|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x008\x005\x00C\x00A\x00E\x003\x00C\x00-\x00F\x001\x006\x00A\x00-\x004\x00A\x008\x004\x00-\x009\x00A\x008\x000\x00-\x00F\x00F\x002\x003\x00D\x006\x00E\x005\x006\x00D\x006\x008\x00(}\x00)?(?P=q108)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14203; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|6|00|1|00|7|00|B|00|9|00|9|00|1|00|-|00|A|00|7|00|6|00|7|00|-|00|4|00|F|00|0|00|5|00|-|00|9|00|9|00|B|00|A|00|-|00|A|00|C|00|6|00|F|00|C|00|A|00|B|00|B|00|1|00|0|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,27201; reference:cve,2008-0237; classtype:attempted-user; sid:13295; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP eSupportDiagnostics 13 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|B|00|2|00|3|00|7|00|0|00|4|00|4|00|-|00|8|00|A|00|3|00|B|00|-|00|4|00|2|00|B|00|B|00|-|00|9|00|E|00|E|00|1|00|-|00|9|00|B|00|F|00|A|00|6|00|7|00|2|00|1|00|D|00|9|00|E|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00B\x002\x003\x007\x000\x004\x004\x00-\x008\x00A\x003\x00B\x00-\x004\x002\x00B\x00B\x00-\x009\x00E\x00E\x001\x00-\x009\x00B\x00F\x00A\x006\x007\x002\x001\x00D\x009\x00E\x00D\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; reference:bugtraq,28929; reference:cve,2008-0712; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13741; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX function call unicode access"; flow:established,to_client; content:"H|00|e|00|a|00|r|00|t|00|b|00|e|00|a|00|t|00|C|00|t|00|l|00|.|00|H|00|e|00|a|00|r|00|t|00|b|00|e|00|a|00|t|00|C|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00l\x00.\x00H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00l\x00.\x00H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28882; reference:cve,2007-6255; classtype:attempted-user; sid:13761; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat HTTP 2 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|9|00|7|00|3|00|3|00|9|00|3|00|F|00|-|00|2|00|7|00|C|00|7|00|-|00|4|00|7|00|8|00|1|00|-|00|8|00|7|00|7|00|D|00|-|00|8|00|6|00|2|00|6|00|A|00|A|00|E|00|D|00|F|00|1|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13690; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ultra Crypto Component CryptoX.dll 2 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|D|00|2|00|2|00|F|00|3|00|A|00|E|00|-|00|1|00|4|00|5|00|0|00|-|00|4|00|B|00|D|00|C|00|-|00|A|00|D|00|B|00|E|00|-|00|6|00|A|00|F|00|2|00|1|00|0|00|A|00|7|00|8|00|C|00|2|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,25611; reference:cve,2007-4902; reference:url,www.ultrashareware.com/Ultra-Crypto-Component.htm; classtype:attempted-user; sid:12443; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 44 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|8|00|6|00|E|00|E|00|6|00|8|00|A|00|-|00|9|00|C|00|7|00|7|00|-|00|4|00|4|00|4|00|1|00|-|00|B|00|D|00|3|00|5|00|-|00|1|00|4|00|C|00|C|00|6|00|C|00|C|00|4|00|A|00|1|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x008\x006\x00E\x00E\x006\x008\x00A\x00-\x009\x00C\x007\x007\x00-\x004\x004\x004\x001\x00-\x00B\x00D\x003\x005\x00-\x001\x004\x00C\x00C\x006\x00C\x00C\x004\x00A\x001\x008\x009\x00(}\x00)?(?P=q78)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14175; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClient Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|c|00|c|00|3|00|4|00|b|00|9|00|f|00|-|00|1|00|5|00|3|00|6|00|-|00|4|00|3|00|3|00|0|00|-|00|a|00|d|00|f|00|b|00|-|00|b|00|0|00|a|00|6|00|8|00|c|00|e|00|3|00|d|00|8|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00c\x00c\x003\x004\x00b\x009\x00f\x00-\x001\x005\x003\x006\x00-\x004\x003\x003\x000\x00-\x00a\x00d\x00f\x00b\x00-\x00b\x000\x00a\x006\x008\x00c\x00e\x003\x00d\x008\x005\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14379; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Backup Exec ActiveX function call unicode access"; flow:established,to_client; content:"i|00|P|00|V|00|A|00|T|00|L|00|C|00|a|00|l|00|e|00|n|00|d|00|a|00|r|00|.|00|P|00|V|00|C|00|a|00|l|00|e|00|n|00|d|00|a|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)i\x00P\x00V\x00A\x00T\x00L\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00.\x00P\x00V\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)i\x00P\x00V\x00A\x00T\x00L\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00.\x00P\x00V\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26904; reference:cve,2007-6016; reference:url,www.symantec.com/avcenter/security/Content/2008.02.28.html; classtype:attempted-user; sid:13542; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 62 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|9|00|2|00|8|00|9|00|8|00|B|00|E|00|-|00|C|00|7|00|C|00|C|00|-|00|4|00|C|00|B|00|3|00|-|00|A|00|4|00|5|00|C|00|-|00|6|00|6|00|5|00|0|00|8|00|B|00|7|00|E|00|2|00|C|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x002\x008\x009\x008\x00B\x00E\x00-\x00C\x007\x00C\x00C\x00-\x004\x00C\x00B\x003\x00-\x00A\x004\x005\x00C\x00-\x006\x006\x005\x000\x008\x00B\x007\x00E\x002\x00C\x003\x003\x00(}\x00)?(?P=q118)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14211; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX function call unicode access"; flow:established,to_client; content:"N|00|a|00|v|00|C|00|o|00|m|00|U|00|I|00|.|00|A|00|x|00|S|00|y|00|s|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|3|00|2|00|O|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00O\x00A\x00A\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00O\x00A\x00A\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12253; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX function call unicode access"; flow:established,to_client; content:"N|00|a|00|v|00|C|00|o|00|m|00|U|00|I|00|.|00|A|00|x|00|S|00|y|00|s|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|3|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12249; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 27 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|6|00|C|00|2|00|B|00|4|00|7|00|7|00|-|00|5|00|3|00|8|00|2|00|-|00|4|00|A|00|0|00|9|00|-|00|8|00|C|00|A|00|3|00|-|00|E|00|6|00|3|00|B|00|1|00|1|00|5|00|8|00|A|00|3|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x006\x00C\x002\x00B\x004\x007\x007\x00-\x005\x003\x008\x002\x00-\x004\x00A\x000\x009\x00-\x008\x00C\x00A\x003\x00-\x00E\x006\x003\x00B\x001\x001\x005\x008\x00A\x003\x007\x007\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14141; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microgaming Download Helper ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|E|00|D|00|9|00|8|00|6|00|3|00|0|00|-|00|0|00|2|00|5|00|1|00|-|00|4|00|E|00|8|00|3|00|-|00|9|00|1|00|7|00|D|00|-|00|4|00|3|00|A|00|2|00|3|00|D|00|6|00|6|00|D|00|5|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; reference:bugtraq,23595; reference:cve,2007-2177; reference:url,www.kb.cert.org/vuls/id/184473; classtype:attempted-user; sid:10992; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Widgets Engine ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|E|00|C|00|7|00|B|00|6|00|C|00|5|00|-|00|2|00|5|00|B|00|D|00|-|00|4|00|5|00|8|00|6|00|-|00|A|00|6|00|4|00|1|00|-|00|D|00|2|00|A|00|C|00|B|00|B|00|6|00|6|00|2|00|9|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25086; reference:cve,2007-4034; reference:url,help.yahoo.com/l/us/yahoo/widgets/security/security-08.html; classtype:attempted-user; sid:12194; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office 2000 and 2002 Web Components PivotTable ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|2|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x002\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,4449; reference:cve,2002-0727; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; classtype:attempted-user; sid:14629; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|2|00|B|00|7|00|D|00|D|00|A|00|9|00|-|00|3|00|8|00|C|00|5|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|1|00|F|00|6|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|D|00|B|00|8|00|F|00|F|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,23838; reference:cve,2007-2564; reference:url,moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html; classtype:attempted-user; sid:11211; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 71 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|C|00|7|00|D|00|A|00|0|00|8|00|7|00|-|00|B|00|7|00|F|00|4|00|-|00|4|00|8|00|2|00|9|00|-|00|B|00|0|00|3|00|8|00|-|00|D|00|A|00|0|00|1|00|D|00|F|00|B|00|5|00|D|00|8|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00C\x007\x00D\x00A\x000\x008\x007\x00-\x00B\x007\x00F\x004\x00-\x004\x008\x002\x009\x00-\x00B\x000\x003\x008\x00-\x00D\x00A\x000\x001\x00D\x00F\x00B\x005\x00D\x008\x007\x009\x00(}\x00)?(?P=q138)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14229; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 39 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|2|00|6|00|6|00|1|00|8|00|A|00|9|00|-|00|4|00|0|00|3|00|5|00|-|00|4|00|C|00|D|00|6|00|-|00|8|00|2|00|4|00|0|00|-|00|6|00|4|00|C|00|5|00|8|00|E|00|B|00|3|00|7|00|B|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x006\x006\x001\x008\x00A\x009\x00-\x004\x000\x003\x005\x00-\x004\x00C\x00D\x006\x00-\x008\x002\x004\x000\x00-\x006\x004\x00C\x005\x008\x00E\x00B\x003\x007\x00B\x000\x007\x00(}\x00)?(?P=q66)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14165; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 10 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|1|00|F|00|5|00|1|00|6|00|9|00|8|00|-|00|7|00|B|00|6|00|3|00|-|00|4|00|3|00|9|00|4|00|-|00|8|00|7|00|4|00|3|00|-|00|1|00|F|00|4|00|C|00|F|00|1|00|8|00|5|00|3|00|D|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x001\x00F\x005\x001\x006\x009\x008\x00-\x007\x00B\x006\x003\x00-\x004\x003\x009\x004\x00-\x008\x007\x004\x003\x00-\x001\x00F\x004\x00C\x00F\x001\x008\x005\x003\x00D\x00E\x001\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14107; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|2|00|5|00|E|00|9|00|B|00|C|00|-|00|A|00|F|00|B|00|3|00|-|00|4|00|E|00|D|00|4|00|-|00|B|00|2|00|0|00|E|00|-|00|4|00|F|00|6|00|C|00|F|00|1|00|C|00|3|00|9|00|F|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; reference:bugtraq,23907; reference:cve,2007-2601; classtype:attempted-user; sid:11277; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|0|00|E|00|4|00|2|00|D|00|6|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:13908; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Orbit Downloader ActiveX function call unicode access"; flow:established,to_client; content:"O|00|r|00|b|00|i|00|t|00|m|00|x|00|t|00|.|00|O|00|r|00|b|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00r\x00b\x00i\x00t\x00m\x00x\x00t\x00.\x00O\x00r\x00b\x00i\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00r\x00b\x00i\x00t\x00m\x00x\x00t\x00.\x00O\x00r\x00b\x00i\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-1602; classtype:attempted-user; sid:14036; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX TEC-IT TBarCode ActiveX function call unicode access"; flow:established,to_client; content:"T|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|7|00|.|00|T|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00.\x00T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00.\x00T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24440; reference:cve,2007-3233; classtype:attempted-user; sid:11842; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|0|00|4|00|0|00|3|00|3|00|0|00|3|00|-|00|E|00|F|00|2|00|1|00|-|00|4|00|7|00|7|00|1|00|-|00|A|00|4|00|1|00|A|00|-|00|6|00|5|00|1|00|0|00|8|00|9|00|8|00|9|00|2|00|E|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; reference:bugtraq,23986; reference:cve,2007-2725; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11302; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Research In Motion TeamOn Import ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|D|00|9|00|5|00|A|00|7|00|C|00|7|00|-|00|3|00|2|00|8|00|2|00|-|00|4|00|D|00|B|00|7|00|-|00|9|00|A|00|4|00|8|00|-|00|7|00|C|00|3|00|9|00|C|00|E|00|1|00|5|00|2|00|A|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,23331; reference:cve,2007-0323; reference:url,na.blackberry.com/eng/ataglance/security/news.jsp; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.kb.cert.org/vuls/id/869641; classtype:attempted-user; sid:11248; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Xunlei Web Thunder ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|E|00|D|00|D|00|6|00|F|00|F|00|9|00|-|00|1|00|3|00|D|00|E|00|-|00|4|00|9|00|6|00|B|00|-|00|9|00|A|00|1|00|C|00|-|00|D|00|7|00|8|00|B|00|3|00|2|00|1|00|5|00|E|00|2|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25751; reference:cve,2007-5064; classtype:attempted-user; sid:12599; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|B|00|D|00|2|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25295; reference:cve,2007-3041; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-045; classtype:attempted-user; sid:13322; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX function call unicode access"; flow:established,to_client; content:"S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2007-6244; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=102039374017185&w=2; reference:url,www.adobe.com/support/security/bulletins/apsb07-20.html; classtype:attempted-user; sid:13217; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientVMs Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|V|00|M|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14337; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PPStream PowerPlayer ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|E|00|C|00|7|00|C|00|5|00|1|00|1|00|-|00|C|00|D|00|0|00|F|00|-|00|4|00|2|00|E|00|6|00|-|00|8|00|3|00|0|00|C|00|-|00|1|00|B|00|D|00|9|00|8|00|8|00|2|00|F|00|3|00|4|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25502; reference:cve,2007-4748; classtype:attempted-user; sid:12389; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|S|00|M|00|I|00|L|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00M\x00I\x00L\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q36)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00M\x00I\x00L\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q37)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14051; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX OutlookExpress.AddressBook ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|3|00|3|00|A|00|9|00|6|00|9|00|4|00|-|00|6|00|6|00|7|00|E|00|-|00|1|00|1|00|d|00|1|00|-|00|9|00|D|00|F|00|B|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|D|00|5|00|0|00|4|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; sid:11237; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Voice Control ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|E|00|E|00|7|00|8|00|5|00|9|00|1|00|-|00|F|00|E|00|2|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|B|00|E|00|F|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|1|00|8|00|4|00|1|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11827; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 18 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|E|00|B|00|2|00|A|00|2|00|E|00|C|00|-|00|1|00|C|00|3|00|A|00|-|00|4|00|9|00|4|00|6|00|-|00|9|00|6|00|1|00|4|00|-|00|8|00|6|00|D|00|3|00|A|00|1|00|0|00|E|00|D|00|B|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00E\x00B\x002\x00A\x002\x00E\x00C\x00-\x001\x00C\x003\x00A\x00-\x004\x009\x004\x006\x00-\x009\x006\x001\x004\x00-\x008\x006\x00D\x003\x00A\x001\x000\x00E\x00D\x00B\x00F\x003\x00(}\x00)?(?P=q20)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14123; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbSchema Class ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|a|00|8|00|c|00|c|00|e|00|1|00|b|00|-|00|1|00|8|00|4|00|5|00|-|00|4|00|a|00|4|00|b|00|-|00|9|00|b|00|8|00|9|00|-|00|c|00|5|00|a|00|9|00|7|00|d|00|2|00|a|00|c|00|a|00|e|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00a\x008\x00c\x00c\x00e\x001\x00b\x00-\x001\x008\x004\x005\x00-\x004\x00a\x004\x00b\x00-\x009\x00b\x008\x009\x00-\x00c\x005\x00a\x009\x007\x00d\x002\x00a\x00c\x00a\x00e\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14387; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Windows MFC Library ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|3|00|F|00|3|00|8|00|1|00|A|00|3|00|-|00|4|00|7|00|9|00|5|00|-|00|4|00|1|00|F|00|F|00|-|00|8|00|1|00|9|00|0|00|-|00|7|00|A|00|A|00|2|00|A|00|8|00|1|00|0|00|2|00|F|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x00F\x003\x008\x001\x00A\x003\x00-\x004\x007\x009\x005\x00-\x004\x001\x00F\x00F\x00-\x008\x001\x009\x000\x00-\x007\x00A\x00A\x002\x00A\x008\x001\x000\x002\x00F\x008\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,25697; reference:cve,2007-4916; classtype:attempted-user; sid:12613; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VideoLAN VLC ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|d|00|e|00|o|00|L|00|A|00|N|00|.|00|V|00|L|00|C|00|P|00|l|00|u|00|g|00|i|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00d\x00e\x00o\x00L\x00A\x00N\x00.\x00V\x00L\x00C\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00d\x00e\x00o\x00L\x00A\x00N\x00.\x00V\x00L\x00C\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26675; reference:cve,2007-6262; reference:url,www.videolan.org/sa0703.html; classtype:attempted-user; sid:12806; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Assistant ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|8|00|3|00|B|00|B|00|6|00|6|00|-|00|A|00|1|00|5|00|D|00|-|00|4|00|A|00|C|00|8|00|-|00|B|00|A|00|7|00|2|00|-|00|9|00|C|00|8|00|C|00|9|00|F|00|5|00|A|00|1|00|6|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,29065; reference:cve,2008-2111; classtype:attempted-user; sid:13784; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MSAuth ActiveX function call unicode access"; flow:established,to_client; content:"N|00|M|00|S|00|A|00|.|00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|D|00|e|00|s|00|c|00|r|00|i|00|p|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00M\x00S\x00A\x00.\x00S\x00e\x00s\x00s\x00i\x00o\x00n\x00D\x00e\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00M\x00S\x00A\x00.\x00S\x00e\x00s\x00s\x00i\x00o\x00n\x00D\x00e\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2007-2221; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11227; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX UUSee UUUpgrade ActiveX function call unicode access"; flow:established,to_client; content:"U|00|U|00|U|00|P|00|G|00|R|00|A|00|D|00|E|00|.|00|U|00|U|00|U|00|p|00|g|00|r|00|a|00|d|00|e|00|C|00|t|00|r|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)U\x00U\x00U\x00P\x00G\x00R\x00A\x00D\x00E\x00.\x00U\x00U\x00U\x00p\x00g\x00r\x00a\x00d\x00e\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)U\x00U\x00U\x00P\x00G\x00R\x00A\x00D\x00E\x00.\x00U\x00U\x00U\x00p\x00g\x00r\x00a\x00d\x00e\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,29963; reference:cve,2008-7168; classtype:attempted-user; sid:13886; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 1 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|d|00|d|00|2|00|5|00|5|00|5|00|8|00|-|00|d|00|d|00|a|00|3|00|-|00|4|00|7|00|6|00|a|00|-|00|a|00|8|00|1|00|c|00|-|00|a|00|0|00|7|00|b|00|6|00|2|00|f|00|3|00|3|00|7|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00d\x00d\x002\x005\x005\x005\x008\x00-\x00d\x00d\x00a\x003\x00-\x004\x007\x006\x00a\x00-\x00a\x008\x001\x00c\x00-\x00a\x000\x007\x00b\x006\x002\x00f\x003\x003\x007\x002\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14315; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat HTTP 1 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|9|00|E|00|8|00|6|00|1|00|B|00|D|00|-|00|E|00|6|00|0|00|6|00|-|00|4|00|7|00|3|00|3|00|-|00|8|00|C|00|7|00|9|00|-|00|F|00|A|00|D|00|D|00|F|00|D|00|6|00|1|00|D|00|C|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13686; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|2|00|0|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q43)(?=\s\x00|>\x00)/si"; reference:bugtraq,24053; reference:cve,2007-2787; reference:url,moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html; classtype:attempted-user; sid:11655; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|1|00|2|00|6|00|6|00|C|00|2|00|1|00|-|00|1|00|8|00|D|00|8|00|-|00|4|00|1|00|4|00|B|00|-|00|8|00|8|00|C|00|0|00|-|00|8|00|D|00|C|00|A|00|6|00|C|00|2|00|5|00|C|00|E|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,25050; reference:cve,2007-3302; reference:url,supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp; classtype:attempted-user; sid:12169; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RichFX Basic Player ActiveX function call unicode access"; flow:established,to_client; content:"R|00|F|00|X|00|I|00|n|00|s|00|t|00|M|00|g|00|r|00|.|00|R|00|F|00|X|00|I|00|n|00|s|00|t|00|M|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00.\x00R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00.\x00R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26573; classtype:attempted-user; sid:12754; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AudioCDRipper ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|E|00|6|00|0|00|4|00|3|00|3|00|3|00|-|00|B|00|0|00|2|00|9|00|-|00|4|00|4|00|E|00|6|00|-|00|8|00|3|00|6|00|7|00|-|00|1|00|5|00|6|00|6|00|B|00|0|00|A|00|D|00|7|00|0|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; reference:bugtraq,23900; reference:cve,2007-2603; classtype:attempted-user; sid:11285; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX TeamListViewWnd Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|T|00|e|00|a|00|m|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|W|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00T\x00e\x00a\x00m\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00T\x00e\x00a\x00m\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14301; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RemoteDirDlg Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|D|00|i|00|r|00|D|00|l|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00D\x00i\x00r\x00D\x00l\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00D\x00i\x00r\x00D\x00l\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14297; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX function call unicode access"; flow:established,to_client; content:"I|00|D|00|A|00|u|00|t|00|o|00|.|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00D\x00A\x00u\x00t\x00o\x00.\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00(?P=q6)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)I\x00D\x00A\x00u\x00t\x00o\x00.\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00(?P=q7)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23954; reference:cve,2007-2658; reference:url,moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html; classtype:attempted-user; sid:11296; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 8 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|f|00|2|00|f|00|3|00|b|00|5|00|4|00|-|00|4|00|3|00|c|00|c|00|-|00|4|00|9|00|1|00|2|00|-|00|9|00|b|00|4|00|8|00|-|00|b|00|d|00|5|00|0|00|0|00|a|00|0|00|2|00|3|00|d|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00f\x002\x00f\x003\x00b\x005\x004\x00-\x004\x003\x00c\x00c\x00-\x004\x009\x001\x002\x00-\x009\x00b\x004\x008\x00-\x00b\x00d\x005\x000\x000\x00a\x000\x002\x003\x00d\x004\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14429; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX function call unicode access"; flow:established,to_client; content:"D|00|E|00|W|00|i|00|z|00|a|00|r|00|d|00|A|00|X|00|.|00|D|00|E|00|W|00|i|00|z|00|a|00|r|00|d|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00A\x00X\x00.\x00D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00X\x00(?P=q16)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00A\x00X\x00.\x00D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00X\x00(?P=q17)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23986; reference:cve,2007-2725; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; classtype:attempted-user; sid:11304; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vantage Linguistics 3 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|6|00|b|00|4|00|5|00|4|00|6|00|f|00|-|00|c|00|2|00|6|00|3|00|-|00|1|00|1|00|d|00|1|00|-|00|b|00|1|00|c|00|9|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; reference:url,www.vantagelinguistics.com/answerworks/release/; classtype:attempted-user; sid:12953; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 12 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|1|00|6|00|0|00|6|00|3|00|A|00|5|00|-|00|0|00|0|00|9|00|8|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|7|00|1|00|7|00|-|00|1|00|B|00|2|00|C|00|6|00|2|00|D|00|D|00|4|00|E|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x006\x000\x006\x003\x00A\x005\x00-\x000\x000\x009\x008\x00-\x004\x00F\x00B\x007\x00-\x008\x007\x001\x007\x00-\x001\x00B\x002\x00C\x006\x002\x00D\x00D\x004\x00E\x004\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14111; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MSN Heartbeat 2 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|c|00|6|00|3|00|d|00|a|00|b|00|a|00|-|00|c|00|b|00|a|00|8|00|-|00|4|00|b|00|5|00|d|00|-|00|a|00|0|00|f|00|7|00|-|00|a|00|e|00|0|00|0|00|f|00|2|00|9|00|2|00|0|00|9|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12958; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies QRCode ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|B|00|B|00|5|00|6|00|6|00|3|00|7|00|-|00|6|00|5|00|1|00|D|00|-|00|4|00|D|00|1|00|D|00|-|00|A|00|F|00|A|00|4|00|-|00|C|00|0|00|5|00|0|00|6|00|F|00|5|00|7|00|E|00|A|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x00B\x005\x006\x006\x003\x007\x00-\x006\x005\x001\x00D\x00-\x004\x00D\x001\x00D\x00-\x00A\x00F\x00A\x004\x00-\x00C\x000\x005\x000\x006\x00F\x005\x007\x00E\x00A\x00F\x008\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/siO"; reference:bugtraq,25702; reference:cve,2007-4982; classtype:attempted-user; sid:12467; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|B|00|2|00|1|00|7|00|7|00|4|00|6|00|-|00|7|00|1|00|7|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|5|00|B|00|-|00|D|00|4|00|1|00|2|00|0|00|3|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q14)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12274; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX function call unicode access"; flow:established,to_client; content:"F|00|w|00|R|00|e|00|m|00|o|00|t|00|e|00|C|00|f|00|g|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|C|00|f|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00w\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)F\x00w\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,30889; reference:bugtraq,30891; reference:cve,2008-4048; reference:cve,2008-4049; classtype:attempted-user; sid:14242; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|4|00|9|00|C|00|4|00|5|00|9|00|7|00|-|00|8|00|7|00|2|00|1|00|-|00|4|00|7|00|8|00|9|00|-|00|9|00|2|00|5|00|0|00|-|00|3|00|1|00|5|00|D|00|F|00|B|00|D|00|9|00|F|00|5|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26396; reference:cve,2007-5755; classtype:attempted-user; sid:12730; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|9|00|5|00|A|00|7|00|7|00|8|00|F|00|-|00|E|00|8|00|4|00|6|00|-|00|4|00|8|00|D|00|D|00|-|00|9|00|4|00|F|00|2|00|-|00|2|00|8|00|0|00|F|00|D|00|E|00|D|00|1|00|A|00|A|00|D|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23833; reference:cve,2007-2576; reference:url,moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html; classtype:attempted-user; sid:11207; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX function call unicode access"; flow:established,to_client; content:"D|00|X|00|S|00|u|00|r|00|f|00|a|00|c|00|e|00|.|00|L|00|i|00|v|00|e|00|P|00|i|00|c|00|t|00|u|00|r|00|e|00|.|00|F|00|l|00|a|00|s|00|h|00|P|00|i|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00X\x00S\x00u\x00r\x00f\x00a\x00c\x00e\x00.\x00L\x00i\x00v\x00e\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00.\x00F\x00l\x00a\x00s\x00h\x00P\x00i\x00x\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00X\x00S\x00u\x00r\x00f\x00a\x00c\x00e\x00.\x00L\x00i\x00v\x00e\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00.\x00F\x00l\x00a\x00s\x00h\x00P\x00i\x00x\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25279; reference:cve,2007-4336; classtype:attempted-user; sid:12260; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sony ImageStation ActiveX function call unicode access"; flow:established,to_client; content:"A|00|x|00|R|00|U|00|p|00|l|00|o|00|a|00|d|00|S|00|e|00|r|00|v|00|e|00|r|00|.|00|A|00|x|00|R|00|U|00|p|00|l|00|o|00|a|00|d|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27715; reference:cve,2008-0748; classtype:attempted-user; sid:13550; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Clever Internet Suite ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|8|00|F|00|9|00|2|00|8|00|4|00|7|00|-|00|7|00|C|00|2|00|1|00|-|00|4|00|5|00|2|00|B|00|-|00|9|00|1|00|A|00|5|00|-|00|4|00|9|00|D|00|9|00|3|00|A|00|A|00|1|00|8|00|F|00|3|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25063; reference:cve,2007-4067; classtype:attempted-user; sid:12190; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 1 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|6|00|0|00|7|00|7|00|0|00|C|00|2|00|-|00|0|00|3|00|9|00|0|00|-|00|4|00|1|00|A|00|8|00|-|00|A|00|8|00|D|00|E|00|-|00|6|00|1|00|8|00|8|00|9|00|8|00|8|00|8|00|D|00|8|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x006\x000\x007\x007\x000\x00C\x002\x00-\x000\x003\x009\x000\x00-\x004\x001\x00A\x008\x00-\x00A\x008\x00D\x00E\x00-\x006\x001\x008\x008\x009\x008\x008\x008\x00D\x008\x004\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14089; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX function call unicode access"; flow:established,to_client; content:"M|00|V|00|S|00|N|00|C|00|l|00|i|00|e|00|n|00|t|00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|6|00|1|00|L|00|i|00|b|00|.|00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00V\x00S\x00N\x00C\x00l\x00i\x00e\x00n\x00t\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x006\x001\x00L\x00i\x00b\x00.\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)M\x00V\x00S\x00N\x00C\x00l\x00i\x00e\x00n\x00t\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x006\x001\x00L\x00i\x00b\x00.\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q9)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,27279; reference:cve,2008-4586; reference:cve,2008-4587; classtype:attempted-user; sid:13328; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare IntraProcessLogging ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25110; reference:cve,2007-4059; classtype:attempted-user; sid:12201; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbContext Class ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|e|00|1|00|c|00|0|00|0|00|e|00|b|00|-|00|6|00|4|00|6|00|8|00|-|00|4|00|0|00|a|00|e|00|-|00|9|00|4|00|b|00|3|00|-|00|2|00|c|00|8|00|d|00|8|00|0|00|0|00|8|00|0|00|f|00|2|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00e\x001\x00c\x000\x000\x00e\x00b\x00-\x006\x004\x006\x008\x00-\x004\x000\x00a\x00e\x00-\x009\x004\x00b\x003\x00-\x002\x00c\x008\x00d\x008\x000\x000\x008\x000\x00f\x002\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14331; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Cryptographic API COM 2 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|B|00|A|00|B|00|0|00|3|00|3|00|B|00|-|00|C|00|D|00|D|00|0|00|-|00|4|00|C|00|5|00|E|00|-|00|8|00|1|00|A|00|B|00|-|00|A|00|E|00|A|00|5|00|7|00|5|00|C|00|D|00|1|00|3|00|3|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:cve,2007-0940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-028; classtype:attempted-user; sid:11235; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX eCentrex VOIP Client Module ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|D|00|8|00|0|00|D|00|3|00|7|00|5|00|-|00|5|00|4|00|3|00|9|00|-|00|4|00|D|00|8|00|0|00|-|00|B|00|1|00|2|00|8|00|-|00|D|00|D|00|A|00|5|00|F|00|D|00|C|00|3|00|A|00|E|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25383; reference:cve,2007-4489; reference:url,www.e800phone.com; classtype:attempted-user; sid:12302; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|9|00|E|00|C|00|2|00|2|00|E|00|7|00|-|00|1|00|A|00|8|00|6|00|-|00|4|00|F|00|7|00|C|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|3|00|0|00|3|00|A|00|E|00|5|00|D|00|6|00|7|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,23345; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; classtype:attempted-user; sid:10432; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 57 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|3|00|3|00|E|00|6|00|2|00|A|00|D|00|-|00|1|00|6|00|5|00|5|00|-|00|4|00|9|00|9|00|F|00|-|00|9|00|0|00|8|00|E|00|-|00|6|00|2|00|D|00|C|00|A|00|1|00|E|00|B|00|2|00|E|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x003\x003\x00E\x006\x002\x00A\x00D\x00-\x001\x006\x005\x005\x00-\x004\x009\x009\x00F\x00-\x009\x000\x008\x00E\x00-\x006\x002\x00D\x00C\x00A\x001\x00E\x00B\x002\x00E\x00C\x006\x00(}\x00)?(?P=q106)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14201; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Digital Imaging hpqxml.dll ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|C|00|0|00|A|00|0|00|3|00|2|00|1|00|-|00|B|00|3|00|2|00|8|00|-|00|4|00|6|00|6|00|C|00|-|00|8|00|E|00|C|00|A|00|-|00|B|00|9|00|A|00|5|00|5|00|2|00|2|00|4|00|6|00|6|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24678; reference:cve,2007-3487; reference:url,www.securityfocus.com/archive/1/472384; classtype:attempted-user; sid:12030; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 54 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|3|00|7|00|9|00|6|00|1|00|6|00|6|00|-|00|A|00|0|00|3|00|C|00|-|00|4|00|1|00|8|00|A|00|-|00|A|00|F|00|3|00|A|00|-|00|0|00|6|00|0|00|1|00|1|00|5|00|D|00|4|00|E|00|4|00|7|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x003\x007\x009\x006\x001\x006\x006\x00-\x00A\x000\x003\x00C\x00-\x004\x001\x008\x00A\x00-\x00A\x00F\x003\x00A\x00-\x000\x006\x000\x001\x001\x005\x00D\x004\x00E\x004\x007\x008\x00(}\x00)?(?P=q100)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14195; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call unicode access attempt"; flow:established,to_client; file_data; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:12783; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Second Sight Software ActiveGS ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|5|00|2|00|D|00|F|00|1|00|4|00|F|00|-|00|6|00|F|00|2|00|8|00|-|00|4|00|4|00|A|00|0|00|-|00|9|00|1|00|3|00|0|00|-|00|2|00|9|00|4|00|F|00|D|00|A|00|6|00|1|00|7|00|6|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:bugtraq,23554; reference:cve,2007-1690; reference:url,www.kb.cert.org/vuls/id/118737; classtype:attempted-user; sid:10979; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbDatabase Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|D|00|a|00|t|00|a|00|b|00|a|00|s|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00D\x00a\x00t\x00a\x00b\x00a\x00s\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00D\x00a\x00t\x00a\x00b\x00a\x00s\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14423; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HTML Inline Movie Control ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|4|00|2|00|2|00|D|00|A|00|E|00|7|00|-|00|9|00|9|00|2|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|D|00|3|00|-|00|0|00|0|00|4|00|0|00|3|00|3|00|3|00|7|00|3|00|D|00|A|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x004\x002\x002\x00D\x00A\x00E\x007\x00-\x009\x009\x002\x009\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x00D\x003\x00-\x000\x000\x004\x000\x003\x003\x003\x007\x003\x00D\x00A\x008\x00(}\x00)?\5/si"; reference:cve,2007-0219; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-016; classtype:attempted-user; sid:10149; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer Stream Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|S|00|t|00|r|00|e|00|a|00|m|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00t\x00r\x00e\x00a\x00m\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q41)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00t\x00r\x00e\x00a\x00m\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q42)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:14053; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|G|00|2|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q21)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q22)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24658; reference:bugtraq,26660; reference:bugtraq,28157; reference:cve,2007-3410; reference:cve,2007-6224; reference:cve,2008-1309; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12769; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Clever Internet Suite ActiveX function call unicode access"; flow:established,to_client; content:"c|00|l|00|I|00|n|00|e|00|t|00|S|00|u|00|i|00|t|00|e|00|X|00|6|00|.|00|c|00|l|00|W|00|e|00|b|00|D|00|a|00|v|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)c\x00l\x00I\x00n\x00e\x00t\x00S\x00u\x00i\x00t\x00e\x00X\x006\x00.\x00c\x00l\x00W\x00e\x00b\x00D\x00a\x00v\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)c\x00l\x00I\x00n\x00e\x00t\x00S\x00u\x00i\x00t\x00e\x00X\x006\x00.\x00c\x00l\x00W\x00e\x00b\x00D\x00a\x00v\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25063; reference:cve,2007-4067; classtype:attempted-user; sid:12192; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Lotus SameTime STJNILoader Alt CLSID ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|B|00|9|00|C|00|9|00|C|00|7|00|D|00|-|00|E|00|D|00|8|00|1|00|-|00|4|00|5|00|9|00|4|00|-|00|A|00|F|00|C|00|B|00|-|00|F|00|C|00|5|00|5|00|8|00|8|00|1|00|2|00|5|00|3|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x009\x00C\x009\x00C\x007\x00D\x00-\x00E\x00D\x008\x001\x00-\x004\x005\x009\x004\x00-\x00A\x00F\x00C\x00B\x00-\x00F\x00C\x005\x005\x008\x008\x001\x002\x005\x003\x008\x002\x00(}\x00)?\5/si"; reference:bugtraq,23201; reference:cve,2007-1784; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21257029; reference:url,www.securityfocus.com/archive/1/464185; classtype:attempted-user; sid:10413; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|8|00|A|00|2|00|9|00|5|00|D|00|A|00|-|00|0|00|8|00|8|00|E|00|-|00|4|00|2|00|D|00|1|00|-|00|B|00|E|00|3|00|1|00|-|00|5|00|0|00|2|00|8|00|D|00|7|00|F|00|9|00|B|00|9|00|B|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x008\x00A\x002\x009\x005\x00D\x00A\x00-\x000\x008\x008\x00E\x00-\x004\x002\x00D\x001\x00-\x00B\x00E\x003\x001\x00-\x005\x000\x002\x008\x00D\x007\x00F\x009\x00B\x009\x00B\x005\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23811; reference:bugtraq,33243; reference:bugtraq,33283; reference:cve,2007-2588; reference:cve,2009-0382; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:11200; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Agent Control ActiveX function call unicode access"; flow:established,to_client; content:"A|00|g|00|e|00|n|00|t|00|.|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25566; reference:cve,2007-3040; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-051; classtype:attempted-user; sid:12451; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMMsg Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|M|00|s|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00M\x00s\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00M\x00s\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14347; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 22 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|E|00|0|00|D|00|3|00|3|00|3|00|2|00|-|00|7|00|4|00|4|00|1|00|-|00|4|00|4|00|F|00|F|00|-|00|A|00|2|00|2|00|5|00|-|00|A|00|F|00|4|00|8|00|E|00|9|00|7|00|7|00|D|00|8|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00E\x000\x00D\x003\x003\x003\x002\x00-\x007\x004\x004\x001\x00-\x004\x004\x00F\x00F\x00-\x00A\x002\x002\x005\x00-\x00A\x00F\x004\x008\x00E\x009\x007\x007\x00D\x008\x00B\x006\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14131; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|A|00|F|00|0|00|2|00|D|00|9|00|B|00|-|00|9|00|6|00|3|00|D|00|-|00|4|00|3|00|D|00|8|00|-|00|9|00|1|00|A|00|6|00|-|00|E|00|7|00|1|00|3|00|8|00|3|00|5|00|0|00|3|00|F|00|D|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12251; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Backup Exec ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|2|00|a|00|c|00|d|00|1|00|6|00|f|00|-|00|9|00|9|00|e|00|b|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|b|00|b|00|3|00|-|00|0|00|0|00|4|00|0|00|0|00|5|00|6|00|1|00|d|00|9|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,26904; reference:cve,2007-6016; reference:url,www.symantec.com/avcenter/security/Content/2008.02.28.html; classtype:attempted-user; sid:13540; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|A|00|3|00|9|00|8|00|E|00|E|00|6|00|-|00|2|00|7|00|7|00|C|00|-|00|4|00|8|00|0|00|D|00|-|00|B|00|D|00|4|00|F|00|-|00|3|00|2|00|8|00|8|00|E|00|A|00|3|00|A|00|B|00|8|00|E|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,24983; reference:cve,2007-2955; reference:url,www.symantec.com/avcenter/security/Content/2007.08.09.html; classtype:attempted-user; sid:12247; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbSchema Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|S|00|c|00|h|00|e|00|m|00|a|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00S\x00c\x00h\x00e\x00m\x00a\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00S\x00c\x00h\x00e\x00m\x00a\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14389; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 11 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|9|00|a|00|1|00|b|00|3|00|a|00|3|00|-|00|0|00|c|00|4|00|c|00|-|00|4|00|e|00|0|00|8|00|-|00|a|00|1|00|b|00|1|00|-|00|8|00|4|00|a|00|6|00|e|00|6|00|f|00|f|00|4|00|1|00|4|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x009\x00a\x001\x00b\x003\x00a\x003\x00-\x000\x00c\x004\x00c\x00-\x004\x00e\x000\x008\x00-\x00a\x001\x00b\x001\x00-\x008\x004\x00a\x006\x00e\x006\x00f\x00f\x004\x001\x004\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14443; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX McAfee ePolicy Orchestrator ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|1|00|2|00|4|00|F|00|D|00|F|00|6|00|-|00|B|00|5|00|4|00|0|00|-|00|4|00|4|00|C|00|5|00|-|00|9|00|6|00|B|00|4|00|-|00|A|00|3|00|8|00|0|00|C|00|E|00|E|00|9|00|8|00|2|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x002\x004\x00F\x00D\x00F\x006\x00-\x00B\x005\x004\x000\x00-\x004\x004\x00C\x005\x00-\x009\x006\x00B\x004\x00-\x00A\x003\x008\x000\x00C\x00E\x00E\x009\x008\x002\x006\x00A\x00(}\x00)?\5/si"; reference:bugtraq,22952; reference:cve,2007-1498; reference:url,knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496; classtype:attempted-user; sid:10388; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Facebook Photo Uploader ActiveX function call unicode access"; flow:established,to_client; content:"T|00|h|00|e|00|F|00|a|00|c|00|e|00|b|00|o|00|o|00|k|00|.|00|F|00|a|00|c|00|e|00|b|00|o|00|o|00|k|00|P|00|h|00|o|00|t|00|o|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|4|00|.|00|4|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00h\x00e\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00.\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00P\x00h\x00o\x00t\x00o\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x004\x00.\x004\x00.\x001\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)T\x00h\x00e\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00.\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00P\x00h\x00o\x00t\x00o\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x004\x00.\x004\x00.\x001\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,27534; reference:bugtraq,27756; reference:cve,2008-5711; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:13422; rev:13;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 17 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|5|00|F|00|B|00|3|00|0|00|7|00|3|00|-|00|C|00|A|00|8|00|E|00|-|00|4|00|2|00|A|00|1|00|-|00|9|00|A|00|9|00|A|00|-|00|2|00|F|00|8|00|2|00|6|00|D|00|0|00|5|00|A|00|8|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x00F\x00B\x003\x000\x007\x003\x00-\x00C\x00A\x008\x00E\x00-\x004\x002\x00A\x001\x00-\x009\x00A\x009\x00A\x00-\x002\x00F\x008\x002\x006\x00D\x000\x005\x00A\x008\x004\x003\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14121; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX function call unicode access"; flow:established,to_client; content:"p|00|g|00|p|00|b|00|b|00|o|00|x|00|.|00|E|00|l|00|P|00|G|00|P|00|J|00|p|00|e|00|g|00|I|00|m|00|a|00|g|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)p\x00g\x00p\x00b\x00b\x00o\x00x\x00.\x00E\x00l\x00P\x00G\x00P\x00J\x00p\x00e\x00g\x00I\x00m\x00a\x00g\x00e\x00X\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)p\x00g\x00p\x00b\x00b\x00o\x00x\x00.\x00E\x00l\x00P\x00G\x00P\x00J\x00p\x00e\x00g\x00I\x00m\x00a\x00g\x00e\x00X\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24882; reference:cve,2007-3785; classtype:attempted-user; sid:12094; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Novell iPrint ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|6|00|7|00|2|00|3|00|f|00|9|00|7|00|-|00|7|00|a|00|a|00|0|00|-|00|1|00|1|00|d|00|4|00|-|00|8|00|9|00|1|00|9|00|-|00|f|00|f|00|2|00|d|00|7|00|1|00|d|00|0|00|d|00|3|00|2|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x006\x007\x002\x003\x00f\x009\x007\x00-\x007\x00a\x00a\x000\x00-\x001\x001\x00d\x004\x00-\x008\x009\x001\x009\x00-\x00f\x00f\x002\x00d\x007\x001\x00d\x000\x00d\x003\x002\x00c\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,27939; reference:bugtraq,29736; reference:bugtraq,30813; reference:bugtraq,30986; reference:bugtraq,31370; reference:cve,2008-0935; reference:cve,2008-2431; reference:cve,2008-2432; reference:cve,2008-2436; reference:cve,2008-2908; reference:url,secunia.com/advisories/40782; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html; classtype:attempted-user; sid:13524; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Shell User Enumeration Object ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|0|00|6|00|6|00|4|00|C|00|A|00|F|00|-|00|A|00|F|00|0|00|D|00|-|00|0|00|0|00|0|00|4|00|-|00|A|00|3|00|0|00|0|00|-|00|5|00|C|00|7|00|D|00|2|00|5|00|F|00|F|00|2|00|2|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x000\x006\x006\x004\x00C\x00A\x00F\x00-\x00A\x00F\x000\x00D\x00-\x000\x000\x000\x004\x00-\x00A\x003\x000\x000\x00-\x005\x00C\x007\x00D\x002\x005\x00F\x00F\x002\x002\x00A\x000\x00(}\x00)?\5/si"; classtype:attempted-user; sid:10177; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Najdi.si Toolbar ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|2|00|5|00|9|00|9|00|A|00|9|00|-|00|E|00|B|00|4|00|1|00|-|00|4|00|F|00|1|00|F|00|-|00|B|00|9|00|9|00|9|00|-|00|7|00|3|00|7|00|B|00|C|00|5|00|8|00|7|00|F|00|3|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x002\x005\x009\x009\x00A\x009\x00-\x00E\x00B\x004\x001\x00-\x004\x00F\x001\x00F\x00-\x00B\x009\x009\x009\x00-\x007\x003\x007\x00B\x00C\x005\x008\x007\x00F\x003\x001\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,30922; reference:cve,2008-7103; classtype:attempted-user; sid:14244; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Voice Control ActiveX function call unicode access"; flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|S|00|S|00|.|00|D|00|i|00|r|00|e|00|c|00|t|00|S|00|S|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-2222; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-034; classtype:attempted-user; sid:11829; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 47 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|D|00|4|00|6|00|1|00|9|00|5|00|-|00|B|00|6|00|3|00|4|00|-|00|4|00|C|00|4|00|1|00|-|00|B|00|5|00|3|00|B|00|-|00|5|00|0|00|9|00|3|00|5|00|2|00|7|00|F|00|B|00|7|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x00D\x004\x006\x001\x009\x005\x00-\x00B\x006\x003\x004\x00-\x004\x00C\x004\x001\x00-\x00B\x005\x003\x00B\x00-\x005\x000\x009\x003\x005\x002\x007\x00F\x00B\x007\x009\x001\x00(}\x00)?(?P=q84)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14181; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x001\x003\x00B\x000\x007\x00E\x00-\x002\x008\x00A\x001\x00-\x004\x00C\x00A\x00C\x00-\x009\x00C\x009\x00A\x00-\x00E\x00C\x005\x008\x002\x00E\x003\x005\x004\x00A\x002\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14283; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Locator ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|F|00|7|00|4|00|8|00|F|00|D|00|E|00|-|00|0|00|5|00|9|00|7|00|-|00|4|00|4|00|3|00|c|00|-|00|8|00|5|00|9|00|6|00|-|00|7|00|1|00|8|00|5|00|4|00|C|00|5|00|E|00|A|00|2|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x007\x004\x008\x00F\x00D\x00E\x00-\x000\x005\x009\x007\x00-\x004\x004\x003\x00c\x00-\x008\x005\x009\x006\x00-\x007\x001\x008\x005\x004\x00C\x005\x00E\x00A\x002\x000\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14271; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX function call unicode access"; flow:established,to_client; content:"Y|00|M|00|P|00|.|00|Y|00|M|00|P|00|D|00|a|00|t|00|a|00|g|00|r|00|i|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)Y\x00M\x00P\x00.\x00Y\x00M\x00P\x00D\x00a\x00t\x00a\x00g\x00r\x00i\x00d\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)Y\x00M\x00P\x00.\x00Y\x00M\x00P\x00D\x00a\x00t\x00a\x00g\x00r\x00i\x00d\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,27579; reference:cve,2008-0624; classtype:attempted-user; sid:13429; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma unspecified 9 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|0|00|8|00|D|00|2|00|6|00|3|00|-|00|B|00|8|00|3|00|2|00|-|00|4|00|2|00|D|00|B|00|-|00|8|00|9|00|5|00|0|00|-|00|F|00|4|00|0|00|C|00|9|00|E|00|6|00|7|00|2|00|E|00|2|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x000\x008\x00D\x002\x006\x003\x00-\x00B\x008\x003\x002\x00-\x004\x002\x00D\x00B\x00-\x008\x009\x005\x000\x00-\x00F\x004\x000\x00C\x009\x00E\x006\x007\x002\x00E\x002\x007\x00(}\x00)?(?P=q142)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:14105; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX TeamListViewWnd Class ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|3|00|E|00|8|00|6|00|A|00|0|00|C|00|-|00|F|00|E|00|7|00|D|00|-|00|4|00|5|00|7|00|3|00|-|00|A|00|4|00|1|00|D|00|-|00|6|00|B|00|5|00|B|00|0|00|0|00|C|00|C|00|F|00|E|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x003\x00E\x008\x006\x00A\x000\x00C\x00-\x00F\x00E\x007\x00D\x00-\x004\x005\x007\x003\x00-\x00A\x004\x001\x00D\x00-\x006\x00B\x005\x00B\x000\x000\x00C\x00C\x00F\x00E\x002\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14299; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX function call unicode access"; flow:established,to_client; content:"s|00|n|00|p|00|v|00|w|00|.|00|S|00|n|00|a|00|p|00|s|00|h|00|o|00|t|00| |00|V|00|i|00|e|00|w|00|e|00|r|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/si"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:13906; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FlexLabel ActiveX function call unicode access"; flow:established,to_client; content:"F|00|l|00|e|00|x|00|L|00|a|00|b|00|e|00|l|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|F|00|l|00|e|00|x|00|L|00|a|00|b|00|e|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00(?P=q10)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00(?P=q11)(\s|>)(\s\x00)*\)\x00/smi"; reference:url,www.securityfocus.com/archive/1/468070; classtype:attempted-user; sid:11283; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP ModemUtil ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|6|00|A|00|9|00|6|00|E|00|8|00|3|00|-|00|F|00|5|00|A|00|F|00|-|00|4|00|B|00|D|00|4|00|-|00|9|00|B|00|D|00|D|00|-|00|7|00|B|00|1|00|8|00|4|00|4|00|4|00|F|00|8|00|1|00|4|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; sid:11944; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sun Java Web Start ActiveX function call unicode access"; flow:established,to_client; content:"J|00|a|00|v|00|a|00|W|00|e|00|b|00|S|00|t|00|a|00|r|00|t|00|.|00|i|00|s|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)J\x00a\x00v\x00a\x00W\x00e\x00b\x00S\x00t\x00a\x00r\x00t\x00.\x00i\x00s\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00d\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)J\x00a\x00v\x00a\x00W\x00e\x00b\x00S\x00t\x00a\x00r\x00t\x00.\x00i\x00s\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00d\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,25734; reference:cve,2007-5019; classtype:attempted-user; sid:12475; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX TriEditDocument.TriEditDocument ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|3|00|8|00|D|00|A|00|5|00|E|00|0|00|-|00|F|00|1|00|7|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|4|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|2|00|7|00|0|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x003\x008\x00D\x00A\x005\x00E\x000\x00-\x00F\x001\x007\x001\x00-\x001\x001\x00D\x000\x00-\x009\x008\x004\x00E\x00-\x000\x000\x000\x000\x00F\x008\x000\x002\x007\x000\x00F\x008\x00(}\x00)?\5/si"; reference:bugtraq,18946; reference:cve,2006-3591; reference:url,browserfun.blogspot.com/2006/07/mobb-12-trieditdocument-url.html; reference:url,osvdb.org/27056; classtype:attempted-user; sid:9822; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Persits Software XUpload ActiveX function call unicode access"; flow:established,to_client; content:"P|00|e|00|r|00|s|00|i|00|t|00|s|00|.|00|X|00|U|00|p|00|l|00|o|00|a|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00e\x00r\x00s\x00i\x00t\x00s\x00.\x00X\x00U\x00p\x00l\x00o\x00a\x00d\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)P\x00e\x00r\x00s\x00i\x00t\x00s\x00.\x00X\x00U\x00p\x00l\x00o\x00a\x00d\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,27025; reference:bugtraq,27456; reference:bugtraq,36550; reference:cve,2007-6530; reference:cve,2008-0492; reference:cve,2009-3693; classtype:attempted-user; sid:13235; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbQuery Class ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|7|00|c|00|a|00|8|00|b|00|0|00|-|00|4|00|c|00|2|00|a|00|-|00|4|00|0|00|c|00|9|00|-|00|a|00|4|00|4|00|0|00|-|00|2|00|8|00|a|00|c|00|b|00|9|00|5|00|c|00|f|00|a|00|d|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x007\x00c\x00a\x008\x00b\x000\x00-\x004\x00c\x002\x00a\x00-\x004\x000\x00c\x009\x00-\x00a\x004\x004\x000\x00-\x002\x008\x00a\x00c\x00b\x009\x005\x00c\x00f\x00a\x00d\x008\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14367; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX function call unicode access"; flow:established,to_client; content:"A|00|x|00|K|00|L|00|P|00|r|00|o|00|d|00|6|00|0|00|.|00|K|00|A|00|V|00|6|00|0|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00x\x00K\x00L\x00P\x00r\x00o\x00d\x006\x000\x00.\x00K\x00A\x00V\x006\x000\x00I\x00n\x00f\x00o\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00x\x00K\x00L\x00P\x00r\x00o\x00d\x006\x000\x00.\x00K\x00A\x00V\x006\x000\x00I\x00n\x00f\x00o\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,23345; reference:cve,2007-1112; reference:url,www.kaspersky.com/technews?id=203038693; classtype:attempted-user; sid:10434; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid unicode access attempt"; flow:established,to_client; file_data; content:"6|00|E|00|5|00|E|00|1|00|6|00|7|00|B|00|-|00|1|00|5|00|6|00|6|00|-|00|4|00|3|00|1|00|6|00|-|00|B|00|2|00|7|00|F|00|-|00|0|00|D|00|D|00|A|00|B|00|3|00|4|00|8|00|4|00|C|00|F|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x005\x00E\x001\x006\x007\x00B\x00-\x001\x005\x006\x006\x00-\x004\x003\x001\x006\x00-\x00B\x002\x007\x00F\x00-\x000\x00D\x00D\x00A\x00B\x003\x004\x008\x004\x00C\x00F\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26537; reference:bugtraq,27577; reference:cve,2008-0660; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; reference:url,technet.microsoft.com/en-us/security/advisory/953839; classtype:attempted-user; sid:12781; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ourgame GLWorld ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|1|00|F|00|5|00|C|00|3|00|5|00|8|00|-|00|6|00|0|00|F|00|B|00|-|00|4|00|A|00|2|00|3|00|-|00|A|00|3|00|1|00|2|00|-|00|D|00|2|00|B|00|5|00|5|00|6|00|6|00|2|00|0|00|F|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,27626; reference:cve,2008-0647; classtype:attempted-user; sid:13786; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|E|00|4|00|1|00|9|00|1|00|F|00|B|00|-|00|5|00|9|00|E|00|F|00|-|00|4|00|8|00|2|00|5|00|-|00|A|00|E|00|F|00|C|00|-|00|1|00|0|00|9|00|7|00|2|00|7|00|9|00|5|00|1|00|E|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-027; reference:url,www.xsec.org/index.php?module=releases&act=view&type=1&id=9; classtype:attempted-user; sid:11229; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|A|00|M|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00A\x00M\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q16)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00A\x00M\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q17)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,28157; reference:cve,2008-1309; reference:url,www.kb.cert.org/vuls/id/831457; classtype:attempted-user; sid:13606; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat HTTP 1 ActiveX function call unicode access"; flow:established,to_client; content:"C|00|H|00|I|00|L|00|K|00|A|00|T|00|H|00|T|00|T|00|P|00|L|00|i|00|b|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|H|00|t|00|t|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00(?P=q13)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,28546; reference:cve,2008-1647; classtype:attempted-user; sid:13688; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|D|00|7|00|4|00|A|00|E|00|3|00|-|00|8|00|0|00|6|00|6|00|-|00|4|00|3|00|8|00|5|00|-|00|A|00|A|00|B|00|A|00|-|00|2|00|4|00|3|00|E|00|0|00|3|00|3|00|F|00|7|00|5|00|A|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24613; reference:cve,2007-3400; reference:url,nctsoft.com/products/NCTAudioEditor2/; classtype:attempted-user; sid:12020; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbContext Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|C|00|o|00|n|00|t|00|e|00|x|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00o\x00n\x00t\x00e\x00x\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00o\x00n\x00t\x00e\x00x\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14333; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX function call unicode access"; flow:established,to_client; content:"O|00|W|00|C|00|1|00|1|00|.|00|D|00|a|00|t|00|a|00|S|00|o|00|u|00|r|00|c|00|e|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00D\x00a\x00t\x00a\x00S\x00o\x00u\x00r\x00c\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00D\x00a\x00t\x00a\x00S\x00o\x00u\x00r\x00c\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,19069; reference:bugtraq,24462; reference:cve,2006-3729; reference:url,browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html; reference:url,osvdb.org/27111; classtype:attempted-user; sid:11967; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX function call unicode access"; flow:established,to_client; content:"S|00|a|00|f|00|e|00|A|00|n|00|d|00|S|00|o|00|u|00|n|00|d|00|A|00|T|00|L|00|.|00|N|00|i|00|x|00|o|00|n|00|M|00|y|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00M\x00y\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00M\x00y\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,25025; reference:cve,2007-3984; classtype:attempted-user; sid:12119; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MSN Heartbeat 3 ActiveX clsid unicode access"; flow:established,to_client; content:"a|00|e|00|1|00|c|00|0|00|1|00|e|00|3|00|-|00|0|00|2|00|8|00|3|00|-|00|1|00|1|00|d|00|3|00|-|00|9|00|b|00|3|00|f|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|8|00|e|00|f|00|4|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-069; classtype:attempted-user; sid:12960; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RichFX Basic Player ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26573; classtype:attempted-user; sid:12752; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX function call unicode access"; flow:established,to_client; content:"C|00|o|00|m|00|m|00|o|00|n|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|.|00|I|00|T|00|R|00|M|00|L|00|e|00|g|00|e|00|n|00|d|00|s|00|C|00|t|00|r|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-1786; classtype:attempted-user; sid:14032; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-1786; classtype:attempted-user; sid:14026; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX function call unicode access"; flow:established,to_client; content:"S|00|P|00|R|00|T|00|.|00|S|00|m|00|a|00|r|00|t|00|I|00|s|00|s|00|u|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00P\x00R\x00T\x00.\x00S\x00m\x00a\x00r\x00t\x00I\x00s\x00s\x00u\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00P\x00R\x00T\x00.\x00S\x00m\x00a\x00r\x00t\x00I\x00s\x00s\x00u\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,22564; reference:cve,2006-6490; reference:url,securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html; classtype:attempted-user; sid:16012; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR SRaT 1.6 runtime detection"; flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; flowbits:set,srat.keepalive; flowbits:noalert; reference:url,www.virustotal.com/file-scan/report.html?id=aab0dc79e71ede6443503038c08c539843d37cdb37c0a0f624658860f4432fae-1226491210; classtype:trojan-activity; sid:19846; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR SRaT 1.6 runtime detection"; flow:to_client,established; content:"|01 00 00 00|"; flowbits:isset,srat.keepalive; reference:url,www.virustotal.com/file-scan/report.html?id=aab0dc79e71ede6443503038c08c539843d37cdb37c0a0f624658860f4432fae-1226491210; classtype:trojan-activity; sid:19847; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 15 ActiveX clsid unicode access"; flow:established,to_client; content:"b|00|3|00|9|00|9|00|2|00|4|00|a|00|c|00|-|00|b|00|1|00|6|00|4|00|-|00|4|00|f|00|0|00|a|00|-|00|b|00|2|00|d|00|8|00|-|00|f|00|0|00|7|00|2|00|9|00|5|00|d|00|f|00|7|00|1|00|0|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x003\x009\x009\x002\x004\x00a\x00c\x00-\x00b\x001\x006\x004\x00-\x004\x00f\x000\x00a\x00-\x00b\x002\x00d\x008\x00-\x00f\x000\x007\x002\x009\x005\x00d\x00f\x007\x001\x000\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14467; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.GuestInfo ActiveX function call unicode access"; flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|G|00|u|00|e|00|s|00|t|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00G\x00u\x00e\x00s\x00t\x00I\x00n\x00f\x00o\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00G\x00u\x00e\x00s\x00t\x00I\x00n\x00f\x00o\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14479; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX function call unicode access"; flow:established,to_client; content:"H|00|P|00|R|00|u|00|l|00|e|00|s|00|E|00|n|00|g|00|i|00|n|00|e|00|.|00|C|00|o|00|n|00|t|00|e|00|n|00|t|00|C|00|o|00|l|00|l|00|e|00|c|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00P\x00R\x00u\x00l\x00e\x00s\x00E\x00n\x00g\x00i\x00n\x00e\x00.\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00C\x00o\x00l\x00l\x00e\x00c\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)H\x00P\x00R\x00u\x00l\x00e\x00s\x00E\x00n\x00g\x00i\x00n\x00e\x00.\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00C\x00o\x00l\x00l\x00e\x00c\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,26950; reference:cve,2007-6506; classtype:attempted-user; sid:14898; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Phoenician Casino ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|8|00|0|00|8|00|9|00|2|00|4|00|5|00|-|00|3|00|2|00|1|00|1|00|-|00|4|00|0|00|F|00|6|00|-|00|8|00|1|00|9|00|B|00|-|00|9|00|E|00|5|00|E|00|9|00|2|00|C|00|D|00|6|00|1|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x008\x000\x008\x009\x002\x004\x005\x00-\x003\x002\x001\x001\x00-\x004\x000\x00F\x006\x00-\x008\x001\x009\x00B\x00-\x009\x00E\x005\x00E\x009\x002\x00C\x00D\x006\x001\x00A\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32901; reference:cve,2008-5691; classtype:attempted-user; sid:15174; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 7000 ActiveX function call unicode access"; flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|7|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x007\x000\x000\x000\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x007\x000\x000\x000\x00(\.\x00\d\x00)?(?P=q11)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15337; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies Aztec ActiveX function call unicode access"; flow:established,to_client; content:"A|00|Z|00|T|00|E|00|C|00|.|00|M|00|W|00|6|00|A|00|z|00|t|00|e|00|c|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00Z\x00T\x00E\x00C\x00.\x00M\x00W\x006\x00A\x00z\x00t\x00e\x00c\x00(\.\x00\d\x00)?(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00Z\x00T\x00E\x00C\x00.\x00M\x00W\x006\x00A\x00z\x00t\x00e\x00c\x00(\.\x00\d\x00)?(?P=q20)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4923; classtype:attempted-user; sid:15281; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 25 ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|c|00|a|00|c|00|0|00|a|00|d|00|0|00|-|00|f|00|f|00|5|00|0|00|-|00|4|00|d|00|b|00|a|00|-|00|8|00|c|00|7|00|9|00|-|00|f|00|1|00|7|00|1|00|0|00|2|00|e|00|1|00|5|00|c|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00c\x00a\x00c\x000\x00a\x00d\x000\x00-\x00f\x00f\x005\x000\x00-\x004\x00d\x00b\x00a\x00-\x008\x00c\x007\x009\x00-\x00f\x001\x007\x001\x000\x002\x00e\x001\x005\x00c\x000\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14583; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbParseError Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|P|00|a|00|r|00|s|00|e|00|E|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00P\x00a\x00r\x00s\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00P\x00a\x00r\x00s\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14573; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPropPath Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|P|00|a|00|t|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00P\x00a\x00t\x00h\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00P\x00a\x00t\x00h\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14563; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Animation Control ActiveX function call unicode access"; flow:established,to_client; content:"C|00|o|00|m|00|C|00|t|00|l|00|2|00|.|00|A|00|n|00|i|00|m|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00C\x00t\x00l\x002\x00.\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00o\x00m\x00C\x00t\x00l\x002\x00.\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15310; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX function call unicode access"; flow:established,to_client; content:"D|00|A|00|T|00|A|00|M|00|A|00|T|00|R|00|I|00|X|00|.|00|M|00|W|00|6|00|D|00|a|00|t|00|a|00|M|00|a|00|t|00|r|00|i|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00A\x00T\x00A\x00M\x00A\x00T\x00R\x00I\x00X\x00.\x00M\x00W\x006\x00D\x00a\x00t\x00a\x00M\x00a\x00t\x00r\x00i\x00x\x00(\.\x00\d\x00)?(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00A\x00T\x00A\x00M\x00A\x00T\x00R\x00I\x00X\x00.\x00M\x00W\x006\x00D\x00a\x00t\x00a\x00M\x00a\x00t\x00r\x00i\x00x\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4925; classtype:attempted-user; sid:15277; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 8200 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|D|00|5|00|8|00|D|00|6|00|9|00|0|00|-|00|6|00|B|00|7|00|1|00|-|00|4|00|E|00|E|00|8|00|-|00|8|00|5|00|A|00|D|00|-|00|0|00|0|00|6|00|D|00|B|00|0|00|2|00|8|00|7|00|B|00|F|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00D\x005\x008\x00D\x006\x009\x000\x00-\x006\x00B\x007\x001\x00-\x004\x00E\x00E\x008\x00-\x008\x005\x00A\x00D\x00-\x000\x000\x006\x00D\x00B\x000\x002\x008\x007\x00B\x00F\x001\x00(}\x00)?(?P=q19)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15343; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUtil Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|1|00|d|00|1|00|d|00|8|00|4|00|a|00|-|00|3|00|1|00|8|00|e|00|-|00|4|00|b|00|c|00|e|00|-|00|9|00|d|00|4|00|b|00|-|00|9|00|d|00|6|00|6|00|6|00|4|00|c|00|9|00|9|00|b|00|d|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x001\x00d\x001\x00d\x008\x004\x00a\x00-\x003\x001\x008\x00e\x00-\x004\x00b\x00c\x00e\x00-\x009\x00d\x004\x00b\x00-\x009\x00d\x006\x006\x006\x004\x00c\x009\x009\x00b\x00d\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14495; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbCnxUtil Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|C|00|n|00|x|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00n\x00x\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00n\x00x\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14507; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MetaProducts MetaTreeX ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|7|00|E|00|6|00|6|00|9|00|8|00|5|00|-|00|F|00|8|00|1|00|A|00|-|00|1|00|1|00|D|00|6|00|-|00|B|00|C|00|0|00|F|00|-|00|F|00|7|00|B|00|4|00|0|00|1|00|5|00|7|00|D|00|C|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00E\x006\x006\x009\x008\x005\x00-\x00F\x008\x001\x00A\x00-\x001\x001\x00D\x006\x00-\x00B\x00C\x000\x00F\x00-\x00F\x007\x00B\x004\x000\x001\x005\x007\x00D\x00C\x002\x006\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33318; classtype:attempted-user; sid:15252; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MksCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|M|00|k|00|s|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14559; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMSwitchCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"c|00|e|00|5|00|5|00|a|00|c|00|6|00|b|00|-|00|d|00|0|00|f|00|a|00|-|00|4|00|b|00|e|00|6|00|-|00|b|00|c|00|9|00|0|00|-|00|c|00|3|00|1|00|8|00|e|00|7|00|3|00|8|00|3|00|c|00|d|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*c\x00e\x005\x005\x00a\x00c\x006\x00b\x00-\x00d\x000\x00f\x00a\x00-\x004\x00b\x00e\x006\x00-\x00b\x00c\x009\x000\x00-\x00c\x003\x001\x008\x00e\x007\x003\x008\x003\x00c\x00d\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14489; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|D|00|F|00|3|00|E|00|9|00|D|00|2|00|-|00|5|00|F|00|7|00|A|00|-|00|4|00|F|00|4|00|A|00|-|00|A|00|9|00|1|00|4|00|-|00|7|00|4|00|9|00|8|00|C|00|8|00|6|00|2|00|E|00|A|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00D\x00F\x003\x00E\x009\x00D\x002\x00-\x005\x00F\x007\x00A\x00-\x004\x00F\x004\x00A\x00-\x00A\x009\x001\x004\x00-\x007\x004\x009\x008\x00C\x008\x006\x002\x00E\x00A\x006\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,31984; reference:cve,2008-4919; classtype:attempted-user; sid:14994; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat Crypt 2 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|3|00|5|00|2|00|B|00|5|00|B|00|9|00|-|00|8|00|2|00|E|00|8|00|-|00|4|00|F|00|F|00|D|00|-|00|9|00|E|00|B|00|1|00|-|00|1|00|A|00|3|00|E|00|6|00|0|00|0|00|5|00|6|00|9|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x003\x005\x002\x00B\x005\x00B\x009\x00-\x008\x002\x00E\x008\x00-\x004\x00F\x00F\x00D\x00-\x009\x00E\x00B\x001\x00-\x001\x00A\x003\x00E\x006\x000\x000\x005\x006\x009\x000\x004\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:15004; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 19 ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|3|00|4|00|4|00|e|00|f|00|7|00|e|00|-|00|e|00|5|00|5|00|9|00|-|00|4|00|8|00|b|00|4|00|-|00|8|00|b|00|1|00|6|00|-|00|0|00|7|00|9|00|5|00|0|00|b|00|f|00|1|00|f|00|1|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x003\x004\x004\x00e\x00f\x007\x00e\x00-\x00e\x005\x005\x009\x00-\x004\x008\x00b\x004\x00-\x008\x00b\x001\x006\x00-\x000\x007\x009\x005\x000\x00b\x00f\x001\x00f\x001\x009\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14499; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft PicturePusher ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|0|00|7|00|8|00|1|00|3|00|C|00|3|00|-|00|0|00|B|00|2|00|6|00|-|00|4|00|7|00|A|00|D|00|-|00|A|00|8|00|C|00|0|00|-|00|D|00|4|00|8|00|3|00|C|00|7|00|A|00|2|00|1|00|F|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x000\x007\x008\x001\x003\x00C\x003\x00-\x000\x00B\x002\x006\x00-\x004\x007\x00A\x00D\x00-\x00A\x008\x00C\x000\x00-\x00D\x004\x008\x003\x00C\x007\x00A\x002\x001\x00F\x00A\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31632; reference:cve,2008-4493; classtype:attempted-user; sid:14638; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iseemedia LPViewer ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|f|00|0|00|e|00|e|00|c|00|c|00|e|00|-|00|e|00|1|00|3|00|8|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|7|00|1|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|3|00|d|00|8|00|3|00|f|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00f\x000\x00e\x00e\x00c\x00c\x00e\x00-\x00e\x001\x003\x008\x00-\x001\x001\x00d\x001\x00-\x008\x007\x001\x002\x00-\x000\x000\x006\x000\x000\x008\x003\x00d\x008\x003\x00f\x005\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:14761; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare VMCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|8|00|D|00|B|00|7|00|7|00|F|00|9|00|-|00|0|00|5|00|8|00|D|00|-|00|4|00|9|00|5|00|5|00|-|00|9|00|8|00|A|00|A|00|-|00|4|00|A|00|9|00|F|00|3|00|B|00|6|00|A|00|5|00|B|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x00D\x00B\x007\x007\x00F\x009\x00-\x000\x005\x008\x00D\x00-\x004\x009\x005\x005\x00-\x009\x008\x00A\x00A\x00-\x004\x00A\x009\x00F\x003\x00B\x006\x00A\x005\x00B\x000\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14612; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Animation Control ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|E|00|2|00|1|00|6|00|2|00|4|00|0|00|-|00|1|00|B|00|7|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|D|00|5|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|3|00|C|00|9|00|C|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00E\x002\x001\x006\x002\x004\x000\x00-\x001\x00B\x007\x00D\x00-\x001\x001\x00C\x00F\x00-\x009\x00D\x005\x003\x00-\x000\x000\x00A\x00A\x000\x000\x003\x00C\x009\x00C\x00B\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15308; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NavigationCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|6|00|6|00|5|00|f|00|a|00|3|00|4|00|-|00|e|00|f|00|a|00|7|00|-|00|4|00|d|00|f|00|f|00|-|00|b|00|e|00|e|00|6|00|-|00|a|00|d|00|2|00|7|00|f|00|a|00|3|00|9|00|6|00|c|00|2|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x006\x006\x005\x00f\x00a\x003\x004\x00-\x00e\x00f\x00a\x007\x00-\x004\x00d\x00f\x00f\x00-\x00b\x00e\x00e\x006\x00-\x00a\x00d\x002\x007\x00f\x00a\x003\x009\x006\x00c\x002\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14575; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CheckedListViewWnd Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|3|00|a|00|a|00|8|00|d|00|1|00|0|00|-|00|0|00|2|00|e|00|2|00|-|00|4|00|6|00|1|00|5|00|-|00|b|00|5|00|2|00|4|00|-|00|9|00|0|00|8|00|a|00|3|00|b|00|8|00|7|00|1|00|6|00|e|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x003\x00a\x00a\x008\x00d\x001\x000\x00-\x000\x002\x00e\x002\x00-\x004\x006\x001\x005\x00-\x00b\x005\x002\x004\x00-\x009\x000\x008\x00a\x003\x00b\x008\x007\x001\x006\x00e\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14539; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies Aztec ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|3|00|5|00|9|00|7|00|3|00|2|00|D|00|-|00|D|00|0|00|2|00|0|00|-|00|4|00|0|00|E|00|D|00|-|00|8|00|3|00|F|00|F|00|-|00|F|00|3|00|8|00|1|00|E|00|F|00|E|00|3|00|6|00|B|00|5|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x005\x009\x007\x003\x002\x00D\x00-\x00D\x000\x002\x000\x00-\x004\x000\x00E\x00D\x00-\x008\x003\x00F\x00F\x00-\x00F\x003\x008\x001\x00E\x00F\x00E\x003\x006\x00B\x005\x004\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4923; classtype:attempted-user; sid:15279; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Nwz Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|b|00|8|00|0|00|2|00|1|00|1|00|b|00|-|00|e|00|f|00|4|00|4|00|-|00|4|00|6|00|3|00|c|00|-|00|a|00|d|00|a|00|b|00|-|00|b|00|7|00|5|00|c|00|c|00|d|00|6|00|8|00|c|00|1|00|6|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00b\x008\x000\x002\x001\x001\x00b\x00-\x00e\x00f\x004\x004\x00-\x004\x006\x003\x00c\x00-\x00a\x00d\x00a\x00b\x00-\x00b\x007\x005\x00c\x00c\x00d\x006\x008\x00c\x001\x006\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14549; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.VMXCreator ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|F|00|C|00|7|00|6|00|A|00|6|00|B|00|-|00|4|00|8|00|7|00|3|00|-|00|4|00|5|00|8|00|C|00|-|00|A|00|B|00|0|00|0|00|-|00|4|00|0|00|B|00|1|00|F|00|C|00|0|00|2|00|8|00|0|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00F\x00C\x007\x006\x00A\x006\x00B\x00-\x004\x008\x007\x003\x00-\x004\x005\x008\x00C\x00-\x00A\x00B\x000\x000\x00-\x004\x000\x00B\x001\x00F\x00C\x000\x002\x008\x000\x000\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14521; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|9|00|9|00|0|00|2|00|D|00|5|00|6|00|-|00|1|00|F|00|2|00|A|00|-|00|4|00|7|00|D|00|6|00|-|00|8|00|9|00|A|00|A|00|-|00|0|00|8|00|F|00|4|00|9|00|A|00|4|00|0|00|A|00|E|00|8|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x009\x009\x000\x002\x00D\x005\x006\x00-\x001\x00F\x002\x00A\x00-\x004\x007\x00D\x006\x00-\x008\x009\x00A\x00A\x00-\x000\x008\x00F\x004\x009\x00A\x004\x000\x00A\x00E\x008\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14509; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|D|00|r|00|i|00|v|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14511; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iDefense COMRaider ActiveX function call unicode access"; flow:established,to_client; content:"v|00|b|00|D|00|e|00|v|00|K|00|i|00|t|00|.|00|C|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|F|00|i|00|l|00|e|00|S|00|y|00|s|00|t|00|e|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00b\x00D\x00e\x00v\x00K\x00i\x00t\x00.\x00C\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00F\x00i\x00l\x00e\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00b\x00D\x00e\x00v\x00K\x00i\x00t\x00.\x00C\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00F\x00i\x00l\x00e\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33867; classtype:attempted-user; sid:15375; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX function call unicode access"; flow:established,to_client; content:"V|00|M|00|w|00|a|00|r|00|e|00|V|00|p|00|c|00|C|00|v|00|t|00|.|00|V|00|p|00|c|00|C|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00M\x00w\x00a\x00r\x00e\x00V\x00p\x00c\x00C\x00v\x00t\x00.\x00V\x00p\x00c\x00C\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00M\x00w\x00a\x00r\x00e\x00V\x00p\x00c\x00C\x00v\x00t\x00.\x00V\x00p\x00c\x00C\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14503; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 13 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|e|00|a|00|0|00|c|00|3|00|1|00|0|00|-|00|9|00|1|00|4|00|0|00|-|00|4|00|7|00|3|00|5|00|-|00|9|00|0|00|d|00|b|00|-|00|5|00|b|00|a|00|b|00|c|00|5|00|7|00|5|00|8|00|3|00|f|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00e\x00a\x000\x00c\x003\x001\x000\x00-\x009\x001\x004\x000\x00-\x004\x007\x003\x005\x00-\x009\x000\x00d\x00b\x00-\x005\x00b\x00a\x00b\x00c\x005\x007\x005\x008\x003\x00f\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14447; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPropPath Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|c|00|8|00|9|00|1|00|8|00|8|00|1|00|-|00|b|00|e|00|6|00|3|00|-|00|4|00|5|00|c|00|f|00|-|00|9|00|7|00|c|00|9|00|-|00|3|00|4|00|6|00|1|00|5|00|a|00|a|00|2|00|0|00|9|00|c|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00c\x008\x009\x001\x008\x008\x001\x00-\x00b\x00e\x006\x003\x00-\x004\x005\x00c\x00f\x00-\x009\x007\x00c\x009\x00-\x003\x004\x006\x001\x005\x00a\x00a\x002\x000\x009\x00c\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14561; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUtil Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14497; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MksCompatCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|M|00|k|00|s|00|C|00|o|00|m|00|p|00|a|00|t|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00o\x00m\x00p\x00a\x00t\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00o\x00m\x00p\x00a\x00t\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14459; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SmartVMD ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|3|00|4|00|6|00|2|00|D|00|5|00|3|00|-|00|4|00|7|00|A|00|6|00|-|00|1|00|1|00|D|00|8|00|-|00|8|00|E|00|F|00|6|00|-|00|D|00|A|00|E|00|8|00|9|00|2|00|7|00|2|00|7|00|4|00|3|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x003\x004\x006\x002\x00D\x005\x003\x00-\x004\x007\x00A\x006\x00-\x001\x001\x00D\x008\x00-\x008\x00E\x00F\x006\x00-\x00D\x00A\x00E\x008\x009\x002\x007\x002\x007\x004\x003\x00C\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33348; reference:bugtraq,33349; classtype:attempted-user; sid:15250; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 8120 ActiveX function call unicode access"; flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|8|00|1|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x001\x002\x000\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x001\x002\x000\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15341; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPropFrame Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|F|00|r|00|a|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00F\x00r\x00a\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00F\x00r\x00a\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14483; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX function call unicode access"; flow:established,to_client; content:"V|00|S|00|P|00|D|00|F|00|E|00|d|00|i|00|t|00|o|00|r|00|X|00|.|00|V|00|S|00|P|00|D|00|F|00|E|00|d|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00o\x00r\x00X\x00.\x00V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00o\x00r\x00X\x00.\x00V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,31984; reference:cve,2008-4919; classtype:attempted-user; sid:14996; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MksCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|c|00|2|00|4|00|c|00|8|00|6|00|e|00|-|00|3|00|4|00|d|00|d|00|-|00|4|00|5|00|f|00|3|00|-|00|9|00|2|00|8|00|d|00|-|00|e|00|c|00|b|00|7|00|c|00|2|00|b|00|3|00|a|00|f|00|b|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00c\x002\x004\x00c\x008\x006\x00e\x00-\x003\x004\x00d\x00d\x00-\x004\x005\x00f\x003\x00-\x009\x002\x008\x00d\x00-\x00e\x00c\x00b\x007\x00c\x002\x00b\x003\x00a\x00f\x00b\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14557; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sopcast SopCore ActiveX function call unicode access"; flow:established,to_client; content:"S|00|O|00|P|00|C|00|O|00|R|00|E|00|.|00|S|00|o|00|p|00|C|00|o|00|r|00|e|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00O\x00P\x00C\x00O\x00R\x00E\x00.\x00S\x00o\x00p\x00C\x00o\x00r\x00e\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00O\x00P\x00C\x00O\x00R\x00E\x00.\x00S\x00o\x00p\x00C\x00o\x00r\x00e\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33920; reference:cve,2009-0811; classtype:attempted-user; sid:15379; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AXIS Camera ActiveX function call unicode access"; flow:established,to_client; content:"C|00|a|00|m|00|I|00|m|00|a|00|g|00|e|00|.|00|C|00|a|00|m|00|I|00|m|00|a|00|g|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00.\x00C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00.\x00C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33408; reference:cve,2008-5260; classtype:attempted-user; sid:15246; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iseemedia LPViewer ActiveX function call unicode access"; flow:established,to_client; content:"L|00|P|00|V|00|i|00|e|00|w|00|e|00|r|00|.|00|L|00|P|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q24)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q25)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31604; reference:cve,2008-4384; classtype:attempted-user; sid:14763; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CurrentVMCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|d|00|9|00|9|00|f|00|7|00|4|00|c|00|-|00|9|00|d|00|0|00|6|00|-|00|4|00|1|00|5|00|e|00|-|00|8|00|c|00|6|00|0|00|-|00|a|00|2|00|4|00|9|00|d|00|1|00|6|00|f|00|1|00|d|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00d\x009\x009\x00f\x007\x004\x00c\x00-\x009\x00d\x000\x006\x00-\x004\x001\x005\x00e\x00-\x008\x00c\x006\x000\x00-\x00a\x002\x004\x009\x00d\x001\x006\x00f\x001\x00d\x007\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14587; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SizerOne ActiveX function call unicode access"; flow:established,to_client; content:"T|00|a|00|b|00|O|00|n|00|e|00|.|00|T|00|a|00|b|00|O|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00a\x00b\x00O\x00n\x00e\x00.\x00T\x00a\x00b\x00O\x00n\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)T\x00a\x00b\x00O\x00n\x00e\x00.\x00T\x00a\x00b\x00O\x00n\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:15195; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Trend Micro HouseCall ActiveX function call unicode access"; flow:established,to_client; content:"X|00|S|00|C|00|A|00|N|00|.|00|X|00|s|00|c|00|a|00|n|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)X\x00S\x00C\x00A\x00N\x00.\x00X\x00s\x00c\x00a\x00n\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)X\x00S\x00C\x00A\x00N\x00.\x00X\x00s\x00c\x00a\x00n\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,32950; reference:bugtraq,32965; reference:cve,2008-2434; reference:cve,2008-2435; classtype:attempted-user; sid:15180; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Trend Micro HouseCall ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|4|00|D|00|0|00|5|00|D|00|4|00|3|00|-|00|3|00|2|00|3|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|D|00|C|00|D|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|9|00|A|00|3|00|B|00|6|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x004\x00D\x000\x005\x00D\x004\x003\x00-\x003\x002\x003\x006\x00-\x001\x001\x00D\x004\x00-\x00B\x00D\x00C\x00D\x00-\x000\x000\x00C\x000\x004\x00F\x009\x00A\x003\x00B\x006\x001\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32950; reference:bugtraq,32965; reference:cve,2008-2434; reference:cve,2008-2435; classtype:attempted-user; sid:15178; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|2|00|F|00|B|00|F|00|3|00|0|00|9|00|-|00|5|00|6|00|F|00|6|00|-|00|4|00|0|00|9|00|E|00|-|00|B|00|9|00|D|00|7|00|-|00|D|00|B|00|B|00|C|00|1|00|9|00|0|00|A|00|D|00|5|00|1|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x002\x00F\x00B\x00F\x003\x000\x009\x00-\x005\x006\x00F\x006\x00-\x004\x000\x009\x00E\x00-\x00B\x009\x00D\x007\x00-\x00D\x00B\x00B\x00C\x001\x009\x000\x00A\x00D\x005\x001\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14485; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 21 ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|e|00|a|00|b|00|0|00|e|00|b|00|8|00|-|00|0|00|5|00|d|00|4|00|-|00|4|00|9|00|b|00|5|00|-|00|a|00|9|00|c|00|6|00|-|00|3|00|1|00|b|00|0|00|3|00|1|00|d|00|2|00|6|00|d|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00e\x00a\x00b\x000\x00e\x00b\x008\x00-\x000\x005\x00d\x004\x00-\x004\x009\x00b\x005\x00-\x00a\x009\x00c\x006\x00-\x003\x001\x00b\x000\x003\x001\x00d\x002\x006\x00d\x009\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14519; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbCnxUtil Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|6|00|e|00|9|00|a|00|b|00|1|00|4|00|-|00|5|00|4|00|3|00|7|00|-|00|4|00|5|00|0|00|7|00|-|00|8|00|f|00|5|00|3|00|-|00|6|00|0|00|d|00|e|00|d|00|2|00|d|00|b|00|1|00|4|00|2|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x006\x00e\x009\x00a\x00b\x001\x004\x00-\x005\x004\x003\x007\x00-\x004\x005\x000\x007\x00-\x008\x00f\x005\x003\x00-\x006\x000\x00d\x00e\x00d\x002\x00d\x00b\x001\x004\x002\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14505; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Sopcast SopCore ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|F|00|E|00|F|00|F|00|3|00|6|00|4|00|-|00|6|00|A|00|5|00|F|00|-|00|4|00|9|00|6|00|6|00|-|00|A|00|9|00|1|00|7|00|-|00|A|00|3|00|A|00|C|00|2|00|8|00|4|00|1|00|1|00|6|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00F\x00E\x00F\x00F\x003\x006\x004\x00-\x006\x00A\x005\x00F\x00-\x004\x009\x006\x006\x00-\x00A\x009\x001\x007\x00-\x00A\x003\x00A\x00C\x002\x008\x004\x001\x001\x006\x005\x009\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33920; reference:cve,2009-0811; classtype:attempted-user; sid:15377; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|F|00|5|00|1|00|7|00|9|00|9|00|4|00|-|00|A|00|6|00|F|00|A|00|-|00|4|00|F|00|3|00|9|00|-|00|B|00|D|00|4|00|B|00|-|00|E|00|C|00|2|00|D|00|F|00|0|00|0|00|A|00|E|00|E|00|F|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x005\x001\x007\x009\x009\x004\x00-\x00A\x006\x00F\x00A\x00-\x004\x00F\x003\x009\x00-\x00B\x00D\x004\x00B\x00-\x00E\x00C\x002\x00D\x00F\x000\x000\x00A\x00E\x00E\x00F\x001\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31435; reference:cve,2008-5073; classtype:attempted-user; sid:14753; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX function call unicode access"; flow:established,to_client; content:"V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|8|00|.|00|V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|A|00|D|00|O|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x008\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00A\x00D\x00O\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x008\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00A\x00D\x00O\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31200; reference:cve,2008-4132; classtype:attempted-user; sid:14599; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Research In Motion AxLoader ActiveX function call unicode access"; flow:established,to_client; content:"R|00|I|00|M|00|.|00|A|00|x|00|L|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)R\x00I\x00M\x00.\x00A\x00x\x00L\x00o\x00a\x00d\x00e\x00r\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)R\x00I\x00M\x00.\x00A\x00x\x00L\x00o\x00a\x00d\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15314; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 20 ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|a|00|5|00|2|00|e|00|3|00|0|00|4|00|-|00|4|00|3|00|6|00|f|00|-|00|4|00|2|00|0|00|e|00|-|00|8|00|c|00|f|00|4|00|-|00|9|00|f|00|7|00|8|00|5|00|c|00|2|00|e|00|5|00|d|00|c|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00a\x005\x002\x00e\x003\x000\x004\x00-\x004\x003\x006\x00f\x00-\x004\x002\x000\x00e\x00-\x008\x00c\x00f\x004\x00-\x009\x00f\x007\x008\x005\x00c\x002\x00e\x005\x00d\x00c\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14513; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies PDF417 ActiveX function call unicode access"; flow:established,to_client; content:"M|00|W|00|6|00|P|00|D|00|F|00|4|00|1|00|7|00|.|00|P|00|D|00|F|00|4|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00W\x006\x00P\x00D\x00F\x004\x001\x007\x00.\x00P\x00D\x00F\x004\x001\x007\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00W\x006\x00P\x00D\x00F\x004\x001\x007\x00.\x00P\x00D\x00F\x004\x001\x007\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4926; classtype:attempted-user; sid:15273; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HotfixWz Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|f|00|e|00|f|00|4|00|b|00|0|00|9|00|-|00|1|00|b|00|0|00|a|00|-|00|4|00|5|00|2|00|9|00|-|00|9|00|7|00|7|00|5|00|-|00|a|00|c|00|4|00|3|00|7|00|d|00|6|00|a|00|9|00|3|00|b|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00e\x00f\x004\x00b\x000\x009\x00-\x001\x00b\x000\x00a\x00-\x004\x005\x002\x009\x00-\x009\x007\x007\x005\x00-\x00a\x00c\x004\x003\x007\x00d\x006\x00a\x009\x003\x00b\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14527; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX function call unicode access"; flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|H|00|o|00|s|00|t|00|D|00|e|00|v|00|i|00|c|00|e|00|I|00|n|00|f|00|o|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00H\x00o\x00s\x00t\x00D\x00e\x00v\x00i\x00c\x00e\x00I\x00n\x00f\x00o\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00H\x00o\x00s\x00t\x00D\x00e\x00v\x00i\x00c\x00e\x00I\x00n\x00f\x00o\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14471; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbParseError Class ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|1|00|b|00|e|00|e|00|7|00|1|00|f|00|-|00|b|00|f|00|8|00|4|00|-|00|4|00|a|00|3|00|c|00|-|00|a|00|9|00|6|00|7|00|-|00|f|00|1|00|c|00|9|00|d|00|2|00|1|00|c|00|6|00|1|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x001\x00b\x00e\x00e\x007\x001\x00f\x00-\x00b\x00f\x008\x004\x00-\x004\x00a\x003\x00c\x00-\x00a\x009\x006\x007\x00-\x00f\x001\x00c\x009\x00d\x002\x001\x00c\x006\x001\x000\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14571; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AXIS Camera ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|1|00|7|00|6|00|2|00|3|00|D|00|1|00|-|00|D|00|8|00|E|00|5|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|E|00|8|00|B|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|0|00|6|00|B|00|D|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x007\x006\x002\x003\x00D\x001\x00-\x00D\x008\x00E\x005\x00-\x001\x001\x00D\x002\x00-\x00B\x00E\x008\x00B\x00-\x000\x000\x001\x000\x004\x00B\x000\x006\x00B\x00D\x00E\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33408; reference:cve,2008-5260; classtype:attempted-user; sid:15244; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SystemRequirementsLab ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|7|00|A|00|5|00|F|00|8|00|D|00|C|00|-|00|1|00|A|00|4|00|B|00|-|00|4|00|D|00|6|00|6|00|-|00|9|00|F|00|2|00|4|00|-|00|A|00|7|00|0|00|4|00|A|00|D|00|9|00|2|00|9|00|E|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00A\x005\x00F\x008\x00D\x00C\x00-\x001\x00A\x004\x00B\x00-\x004\x00D\x006\x006\x00-\x009\x00F\x002\x004\x00-\x00A\x007\x000\x004\x00A\x00D\x009\x002\x009\x00E\x00E\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:url,support.microsoft.com/kb/956391; reference:url,www.systemrequirementslab.com/bulletins/security_bulletin_1.html; classtype:attempted-user; sid:14632; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMListCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|2|00|d|00|8|00|2|00|f|00|3|00|2|00|-|00|b|00|4|00|b|00|0|00|-|00|4|00|7|00|6|00|3|00|-|00|8|00|0|00|d|00|6|00|-|00|8|00|7|00|3|00|2|00|3|00|1|00|7|00|3|00|d|00|5|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x002\x00d\x008\x002\x00f\x003\x002\x00-\x00b\x004\x00b\x000\x00-\x004\x007\x006\x003\x00-\x008\x000\x00d\x006\x00-\x008\x007\x003\x002\x003\x001\x007\x003\x00d\x005\x007\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14535; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|C|00|1|00|F|00|4|00|B|00|6|00|F|00|-|00|1|00|3|00|A|00|B|00|-|00|4|00|2|00|3|00|9|00|-|00|8|00|C|00|7|00|9|00|-|00|D|00|6|00|D|00|C|00|A|00|D|00|C|00|5|00|2|00|B|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00C\x001\x00F\x004\x00B\x006\x00F\x00-\x001\x003\x00A\x00B\x00-\x004\x002\x003\x009\x00-\x008\x00C\x007\x009\x00-\x00D\x006\x00D\x00C\x00A\x00D\x00C\x005\x002\x00B\x00A\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14469; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Hummingbird HostExplorer ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|F|00|B|00|6|00|C|00|C|00|6|00|8|00|-|00|7|00|0|00|2|00|D|00|-|00|4|00|F|00|E|00|2|00|-|00|A|00|8|00|E|00|7|00|-|00|4|00|D|00|E|00|2|00|3|00|8|00|3|00|5|00|F|00|0|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00F\x00B\x006\x00C\x00C\x006\x008\x00-\x007\x000\x002\x00D\x00-\x004\x00F\x00E\x002\x00-\x00A\x008\x00E\x007\x00-\x004\x00D\x00E\x002\x003\x008\x003\x005\x00F\x000\x00D\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31783; reference:cve,2008-4729; classtype:attempted-user; sid:14745; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 8120 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|4|00|4|00|2|00|1|00|1|00|7|00|0|00|-|00|D|00|B|00|2|00|2|00|-|00|4|00|5|00|5|00|1|00|-|00|B|00|B|00|F|00|B|00|-|00|F|00|F|00|C|00|F|00|F|00|B|00|4|00|1|00|9|00|F|00|6|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x004\x004\x002\x001\x001\x007\x000\x00-\x00D\x00B\x002\x002\x00-\x004\x005\x005\x001\x00-\x00B\x00B\x00F\x00B\x00-\x00F\x00F\x00C\x00F\x00F\x00B\x004\x001\x009\x00F\x006\x00F\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15339; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Phoenician Casino ActiveX function call unicode access"; flow:established,to_client; content:"F|00|l|00|a|00|s|00|h|00|A|00|X|00|.|00|F|00|l|00|a|00|s|00|h|00|X|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00l\x00a\x00s\x00h\x00A\x00X\x00.\x00F\x00l\x00a\x00s\x00h\x00X\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)F\x00l\x00a\x00s\x00h\x00A\x00X\x00.\x00F\x00l\x00a\x00s\x00h\x00X\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,32901; reference:cve,2008-5691; classtype:attempted-user; sid:15176; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 26 ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|d|00|1|00|e|00|7|00|d|00|a|00|6|00|-|00|f|00|b|00|d|00|a|00|-|00|4|00|9|00|a|00|a|00|-|00|9|00|4|00|8|00|8|00|-|00|4|00|a|00|1|00|f|00|c|00|2|00|e|00|c|00|7|00|8|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00d\x001\x00e\x007\x00d\x00a\x006\x00-\x00f\x00b\x00d\x00a\x00-\x004\x009\x00a\x00a\x00-\x009\x004\x008\x008\x00-\x004\x00a\x001\x00f\x00c\x002\x00e\x00c\x007\x008\x002\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14585; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX function call unicode access"; flow:established,to_client; content:"S|00|Q|00|L|00|V|00|D|00|i|00|r|00|.|00|S|00|Q|00|L|00|V|00|D|00|i|00|r|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00Q\x00L\x00V\x00D\x00i\x00r\x00.\x00S\x00Q\x00L\x00V\x00D\x00i\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00Q\x00L\x00V\x00D\x00i\x00r\x00.\x00S\x00Q\x00L\x00V\x00D\x00i\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14759; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Autodesk LiveUpdate ActiveX function call unicode access"; flow:established,to_client; content:"L|00|i|00|v|00|e|00|U|00|p|00|d|00|a|00|t|00|e|00|.|00|U|00|p|00|d|00|a|00|t|00|e|00|E|00|n|00|g|00|i|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00U\x00p\x00d\x00a\x00t\x00e\x00.\x00U\x00p\x00d\x00a\x00t\x00e\x00E\x00n\x00g\x00i\x00n\x00e\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00U\x00p\x00d\x00a\x00t\x00e\x00.\x00U\x00p\x00d\x00a\x00t\x00e\x00E\x00n\x00g\x00i\x00n\x00e\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14751; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMSwitchCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|S|00|w|00|i|00|t|00|c|00|h|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00w\x00i\x00t\x00c\x00h\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00w\x00i\x00t\x00c\x00h\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14491; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|2|00|3|00|3|00|D|00|6|00|F|00|8|00|-|00|A|00|D|00|3|00|1|00|-|00|4|00|4|00|0|00|F|00|-|00|B|00|A|00|F|00|0|00|-|00|9|00|E|00|7|00|A|00|2|00|9|00|2|00|A|00|5|00|3|00|D|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x002\x003\x003\x00D\x006\x00F\x008\x00-\x00A\x00D\x003\x001\x00-\x004\x004\x000\x00F\x00-\x00B\x00A\x00F\x000\x00-\x009\x00E\x007\x00A\x002\x009\x002\x00A\x005\x003\x00D\x00A\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; reference:bugtraq,31996; reference:cve,2008-4800; classtype:attempted-user; sid:15000; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|9|00|F|00|D|00|A|00|0|00|7|00|0|00|-|00|6|00|1|00|B|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|D|00|8|00|4|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|1|00|7|00|B|00|6|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x009\x00F\x00D\x00A\x000\x007\x000\x00-\x006\x001\x00B\x00A\x00-\x001\x001\x00D\x002\x00-\x00A\x00D\x008\x004\x00-\x000\x000\x001\x000\x005\x00A\x001\x007\x00B\x006\x000\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31814; reference:cve,2008-4652; classtype:attempted-user; sid:14779; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP AG SAPgui mdrmsap ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|0|00|1|00|9|00|5|00|2|00|B|00|0|00|-|00|A|00|F|00|6|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|1|00|0|00|D|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|6|00|F|00|6|00|D|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x001\x009\x005\x002\x00B\x000\x00-\x00A\x00F\x006\x006\x00-\x001\x001\x00D\x001\x00-\x00B\x001\x000\x00D\x00-\x000\x000\x006\x000\x000\x008\x006\x00F\x006\x00D\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32186; reference:cve,2008-4387; classtype:attempted-user; sid:15070; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|9|00|4|00|5|00|E|00|3|00|1|00|A|00|-|00|1|00|0|00|2|00|E|00|-|00|4|00|A|00|0|00|D|00|-|00|8|00|8|00|5|00|4|00|-|00|D|00|5|00|9|00|9|00|D|00|7|00|A|00|E|00|D|00|5|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x004\x005\x00E\x003\x001\x00A\x00-\x001\x000\x002\x00E\x00-\x004\x00A\x000\x00D\x00-\x008\x008\x005\x004\x00-\x00D\x005\x009\x009\x00D\x007\x00A\x00E\x00D\x005\x00F\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31200; reference:cve,2008-4132; classtype:attempted-user; sid:14597; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 18 ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|1|00|0|00|8|00|4|00|c|00|9|00|8|00|-|00|7|00|9|00|f|00|2|00|-|00|4|00|6|00|1|00|d|00|-|00|8|00|1|00|b|00|8|00|-|00|7|00|8|00|8|00|8|00|2|00|2|00|8|00|e|00|7|00|7|00|c|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x001\x000\x008\x004\x00c\x009\x008\x00-\x007\x009\x00f\x002\x00-\x004\x006\x001\x00d\x00-\x008\x001\x00b\x008\x00-\x007\x008\x008\x008\x002\x002\x008\x00e\x007\x007\x00c\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14493; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 16 ActiveX clsid unicode access"; flow:established,to_client; content:"b|00|e|00|a|00|4|00|8|00|e|00|3|00|e|00|-|00|5|00|9|00|9|00|0|00|-|00|4|00|f|00|5|00|2|00|-|00|a|00|d|00|0|00|c|00|-|00|4|00|f|00|e|00|e|00|8|00|b|00|0|00|0|00|b|00|3|00|d|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00e\x00a\x004\x008\x00e\x003\x00e\x00-\x005\x009\x009\x000\x00-\x004\x00f\x005\x002\x00-\x00a\x00d\x000\x00c\x00-\x004\x00f\x00e\x00e\x008\x00b\x000\x000\x00b\x003\x00d\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14473; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|E|00|7|00|D|00|A|00|0|00|B|00|5|00|-|00|7|00|D|00|7|00|B|00|-|00|4|00|C|00|E|00|A|00|-|00|8|00|7|00|3|00|9|00|-|00|6|00|5|00|C|00|F|00|6|00|0|00|0|00|D|00|5|00|1|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00E\x007\x00D\x00A\x000\x00B\x005\x00-\x007\x00D\x007\x00B\x00-\x004\x00C\x00E\x00A\x00-\x008\x007\x003\x009\x00-\x006\x005\x00C\x00F\x006\x000\x000\x00D\x005\x001\x001\x00E\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4925; classtype:attempted-user; sid:15275; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 24 ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|d|00|a|00|f|00|3|00|a|00|1|00|f|00|-|00|9|00|4|00|2|00|e|00|-|00|4|00|0|00|6|00|2|00|-|00|8|00|9|00|b|00|0|00|-|00|5|00|2|00|7|00|6|00|0|00|6|00|0|00|d|00|f|00|f|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00d\x00a\x00f\x003\x00a\x001\x00f\x00-\x009\x004\x002\x00e\x00-\x004\x000\x006\x002\x00-\x008\x009\x00b\x000\x00-\x005\x002\x007\x006\x000\x006\x000\x00d\x00f\x00f\x009\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14565; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Office Viewer 2 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|8|00|8|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x008\x008\x00F\x002\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23811; reference:bugtraq,33238; reference:bugtraq,33243; reference:bugtraq,33245; reference:cve,2007-2588; reference:url,moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html; classtype:attempted-user; sid:15231; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMListCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|L|00|i|00|s|00|t|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14537; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientVM Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|d|00|3|00|7|00|0|00|5|00|d|00|3|00|-|00|5|00|3|00|b|00|0|00|-|00|4|00|d|00|2|00|d|00|-|00|9|00|6|00|1|00|e|00|-|00|6|00|4|00|f|00|c|00|7|00|4|00|9|00|5|00|b|00|8|00|c|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00d\x003\x007\x000\x005\x00d\x003\x00-\x005\x003\x00b\x000\x00-\x004\x00d\x002\x00d\x00-\x009\x006\x001\x00e\x00-\x006\x004\x00f\x00c\x007\x004\x009\x005\x00b\x008\x00c\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14515; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare VMCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|C|00|O|00|M|00|.|00|V|00|m|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00C\x00O\x00M\x00.\x00V\x00m\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00C\x00O\x00M\x00.\x00V\x00m\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3892; classtype:attempted-user; sid:14614; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HotfixWz Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|c|00|f|00|g|00|.|00|H|00|o|00|t|00|f|00|i|00|x|00|W|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00c\x00f\x00g\x00.\x00H\x00o\x00t\x00f\x00i\x00x\x00W\x00z\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00c\x00f\x00g\x00.\x00H\x00o\x00t\x00f\x00i\x00x\x00W\x00z\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14529; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FathFTP ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|2|00|A|00|9|00|8|00|9|00|C|00|E|00|-|00|D|00|3|00|9|00|A|00|-|00|1|00|1|00|D|00|5|00|-|00|8|00|6|00|F|00|0|00|-|00|B|00|9|00|C|00|3|00|7|00|0|00|7|00|6|00|2|00|1|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x002\x00A\x009\x008\x009\x00C\x00E\x00-\x00D\x003\x009\x00A\x00-\x001\x001\x00D\x005\x00-\x008\x006\x00F\x000\x00-\x00B\x009\x00C\x003\x007\x000\x007\x006\x002\x001\x007\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33842; classtype:attempted-user; sid:15369; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies Barcode ActiveX function call unicode access"; flow:established,to_client; content:"B|00|a|00|r|00|c|00|o|00|d|00|e|00|.|00|M|00|W|00|6|00|B|00|a|00|r|00|c|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00.\x00M\x00W\x006\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00.\x00M\x00W\x006\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:15269; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 17 ActiveX clsid unicode access"; flow:established,to_client; content:"b|00|f|00|3|00|3|00|7|00|b|00|9|00|5|00|-|00|a|00|0|00|8|00|a|00|-|00|4|00|3|00|b|00|a|00|-|00|b|00|3|00|9|00|5|00|-|00|0|00|0|00|1|00|b|00|b|00|1|00|1|00|e|00|5|00|1|00|c|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00f\x003\x003\x007\x00b\x009\x005\x00-\x00a\x000\x008\x00a\x00-\x004\x003\x00b\x00a\x00-\x00b\x003\x009\x005\x00-\x000\x000\x001\x00b\x00b\x001\x001\x00e\x005\x001\x00c\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14475; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Akamai DownloadManager ActiveX function call unicode access"; flow:established,to_client; content:"M|00|A|00|N|00|A|00|G|00|E|00|R|00|.|00|D|00|L|00|M|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00A\x00N\x00A\x00G\x00E\x00R\x00.\x00D\x00L\x00M\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00A\x00N\x00A\x00G\x00E\x00R\x00.\x00D\x00L\x00M\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15318; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|C|00|1|00|3|00|B|00|A|00|A|00|2|00|-|00|9|00|C|00|1|00|A|00|-|00|4|00|0|00|6|00|9|00|-|00|A|00|2|00|2|00|1|00|-|00|3|00|1|00|A|00|1|00|4|00|7|00|6|00|3|00|6|00|0|00|3|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00C\x001\x003\x00B\x00A\x00A\x002\x00-\x009\x00C\x001\x00A\x00-\x004\x000\x006\x009\x00-\x00A\x002\x002\x001\x00-\x003\x001\x00A\x001\x004\x007\x006\x003\x006\x000\x003\x008\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31129; reference:cve,2008-4110; classtype:attempted-user; sid:14757; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmappPropFrame Class ActiveX clsid unicode access"; flow:established,to_client; content:"c|00|0|00|f|00|9|00|8|00|5|00|7|00|7|00|-|00|f|00|c|00|8|00|0|00|-|00|4|00|d|00|0|00|a|00|-|00|8|00|6|00|b|00|2|00|-|00|6|00|d|00|4|00|e|00|0|00|4|00|5|00|e|00|d|00|f|00|8|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*c\x000\x00f\x009\x008\x005\x007\x007\x00-\x00f\x00c\x008\x000\x00-\x004\x00d\x000\x00a\x00-\x008\x006\x00b\x002\x00-\x006\x00d\x004\x00e\x000\x004\x005\x00e\x00d\x00f\x008\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14481; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CheckedListViewWnd Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|h|00|e|00|c|00|k|00|e|00|d|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|W|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00h\x00e\x00c\x00k\x00e\x00d\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00h\x00e\x00c\x00k\x00e\x00d\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14541; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PolicyCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|P|00|o|00|l|00|i|00|c|00|y|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00P\x00o\x00l\x00i\x00c\x00y\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00P\x00o\x00l\x00i\x00c\x00y\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14569; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|F|00|6|00|2|00|5|00|D|00|9|00|0|00|-|00|A|00|7|00|4|00|B|00|-|00|4|00|d|00|d|00|8|00|-|00|9|00|8|00|4|00|7|00|-|00|9|00|C|00|F|00|D|00|6|00|F|00|9|00|2|00|8|00|F|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00F\x006\x002\x005\x00D\x009\x000\x00-\x00A\x007\x004\x00B\x00-\x004\x00d\x00d\x008\x00-\x009\x008\x004\x007\x00-\x009\x00C\x00F\x00D\x006\x00F\x009\x002\x008\x00F\x00E\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14453; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Easy Grid ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|D|00|4|00|4|00|C|00|0|00|E|00|A|00|-|00|B|00|2|00|C|00|F|00|-|00|3|00|1|00|D|00|1|00|-|00|8|00|D|00|D|00|3|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00D\x004\x004\x00C\x000\x00E\x00A\x00-\x00B\x002\x00C\x00F\x00-\x003\x001\x00D\x001\x00-\x008\x00D\x00D\x003\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x000\x000\x000\x000\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33272; reference:cve,2009-0134; classtype:attempted-user; sid:15233; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|B|00|A|00|2|00|5|00|0|00|D|00|3|00|-|00|C|00|E|00|E|00|2|00|-|00|4|00|1|00|8|00|5|00|-|00|8|00|5|00|6|00|3|00|-|00|1|00|0|00|8|00|0|00|F|00|5|00|0|00|B|00|B|00|7|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00B\x00A\x002\x005\x000\x00D\x003\x00-\x00C\x00E\x00E\x002\x00-\x004\x001\x008\x005\x00-\x008\x005\x006\x003\x00-\x001\x000\x008\x000\x00F\x005\x000\x00B\x00B\x007\x003\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14553; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies PDF417 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|0|00|D|00|2|00|A|00|8|00|7|00|5|00|-|00|5|00|0|00|2|00|4|00|-|00|4|00|C|00|C|00|D|00|-|00|8|00|0|00|A|00|A|00|-|00|C|00|8|00|A|00|3|00|5|00|3|00|D|00|B|00|2|00|B|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x000\x00D\x002\x00A\x008\x007\x005\x00-\x005\x000\x002\x004\x00-\x004\x00C\x00C\x00D\x00-\x008\x000\x00A\x00A\x00-\x00C\x008\x00A\x003\x005\x003\x00D\x00B\x002\x00B\x004\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4926; classtype:attempted-user; sid:15271; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|4|00|2|00|8|00|A|00|1|00|3|00|5|00|-|00|8|00|4|00|9|00|4|00|-|00|4|00|1|00|D|00|E|00|-|00|A|00|4|00|B|00|5|00|-|00|8|00|B|00|B|00|1|00|B|00|6|00|3|00|2|00|E|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x004\x002\x008\x00A\x001\x003\x005\x00-\x008\x004\x009\x004\x00-\x004\x001\x00D\x00E\x00-\x00A\x004\x00B\x005\x00-\x008\x00B\x00B\x001\x00B\x006\x003\x002\x00E\x008\x00D\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14501; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Evans FTP ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|E|00|8|00|6|00|4|00|D|00|3|00|E|00|-|00|3|00|E|00|6|00|A|00|-|00|4|00|8|00|F|00|0|00|-|00|8|00|8|00|A|00|F|00|-|00|C|00|E|00|A|00|E|00|E|00|3|00|2|00|2|00|F|00|9|00|F|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00E\x008\x006\x004\x00D\x003\x00E\x00-\x003\x00E\x006\x00A\x00-\x004\x008\x00F\x000\x00-\x008\x008\x00A\x00F\x00-\x00C\x00E\x00A\x00E\x00E\x003\x002\x002\x00F\x009\x00F\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32814; classtype:attempted-user; sid:15160; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 12 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|d|00|2|00|5|00|3|00|f|00|8|00|5|00|-|00|f|00|9|00|b|00|1|00|-|00|4|00|4|00|6|00|e|00|-|00|9|00|1|00|2|00|2|00|-|00|7|00|e|00|f|00|3|00|e|00|2|00|6|00|0|00|c|00|3|00|e|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00d\x002\x005\x003\x00f\x008\x005\x00-\x00f\x009\x00b\x001\x00-\x004\x004\x006\x00e\x00-\x009\x001\x002\x002\x00-\x007\x00e\x00f\x003\x00e\x002\x006\x000\x00c\x003\x00e\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14445; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX function call unicode access"; flow:established,to_client; content:"D|00|D|00|A|00|c|00|t|00|i|00|v|00|e|00|R|00|e|00|p|00|o|00|r|00|t|00|s|00|V|00|i|00|e|00|w|00|e|00|r|00|2|00|.|00|A|00|R|00|V|00|i|00|e|00|w|00|e|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00D\x00A\x00c\x00t\x00i\x00v\x00e\x00R\x00e\x00p\x00o\x00r\x00t\x00s\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00.\x00A\x00R\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00D\x00A\x00c\x00t\x00i\x00v\x00e\x00R\x00e\x00p\x00o\x00r\x00t\x00s\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00.\x00A\x00R\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31227; reference:cve,2008-5089; classtype:attempted-user; sid:14606; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Easy Grid ActiveX function call unicode access"; flow:established,to_client; content:"E|00|a|00|s|00|y|00|G|00|r|00|i|00|d|00|.|00|S|00|G|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00a\x00s\x00y\x00G\x00r\x00i\x00d\x00.\x00S\x00G\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00a\x00s\x00y\x00G\x00r\x00i\x00d\x00.\x00S\x00G\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33272; reference:cve,2009-0134; classtype:attempted-user; sid:15235; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 14 ActiveX clsid unicode access"; flow:established,to_client; content:"a|00|e|00|a|00|b|00|0|00|a|00|1|00|a|00|-|00|4|00|b|00|c|00|d|00|-|00|4|00|f|00|c|00|2|00|-|00|9|00|c|00|7|00|0|00|-|00|0|00|e|00|0|00|a|00|e|00|3|00|b|00|4|00|0|00|3|00|5|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*a\x00e\x00a\x00b\x000\x00a\x001\x00a\x00-\x004\x00b\x00c\x00d\x00-\x004\x00f\x00c\x002\x00-\x009\x00c\x007\x000\x00-\x000\x00e\x000\x00a\x00e\x003\x00b\x004\x000\x003\x005\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14461; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Virtual Rooms v7 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|0|00|3|00|2|00|-|00|9|00|5|00|9|00|3|00|-|00|4|00|2|00|6|00|4|00|-|00|8|00|B|00|2|00|9|00|-|00|9|00|3|00|0|00|B|00|3|00|E|00|4|00|E|00|D|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x000\x000\x000\x003\x002\x00-\x009\x005\x009\x003\x00-\x004\x002\x006\x004\x00-\x008\x00B\x002\x009\x00-\x009\x003\x000\x00B\x003\x00E\x004\x00E\x00D\x00C\x00C\x00D\x00(}\x00)?(?P=q17)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33918; reference:cve,2009-0208; classtype:attempted-user; sid:15381; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 23 ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|5|00|4|00|b|00|2|00|a|00|a|00|7|00|-|00|5|00|2|00|a|00|b|00|-|00|4|00|3|00|1|00|c|00|-|00|a|00|1|00|f|00|a|00|-|00|3|00|f|00|8|00|0|00|7|00|e|00|e|00|3|00|5|00|7|00|8|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x005\x004\x00b\x002\x00a\x00a\x007\x00-\x005\x002\x00a\x00b\x00-\x004\x003\x001\x00c\x00-\x00a\x001\x00f\x00a\x00-\x003\x00f\x008\x000\x007\x00e\x00e\x003\x005\x007\x008\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14543; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PolicyCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|d|00|c|00|2|00|c|00|f|00|e|00|2|00|-|00|9|00|7|00|c|00|9|00|-|00|4|00|1|00|c|00|3|00|-|00|8|00|0|00|e|00|9|00|-|00|9|00|b|00|b|00|5|00|5|00|b|00|5|00|a|00|1|00|a|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00d\x00c\x002\x00c\x00f\x00e\x002\x00-\x009\x007\x00c\x009\x00-\x004\x001\x00c\x003\x00-\x008\x000\x00e\x009\x00-\x009\x00b\x00b\x005\x005\x00b\x005\x00a\x001\x00a\x00d\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14567; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioGrabber2 ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|G|00|r|00|a|00|b|00|b|00|e|00|r|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|G|00|r|00|a|00|b|00|b|00|e|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00(\.\x00\d\x00)?(?P=q35)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00(\.\x00\d\x00)?(?P=q36)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-0958; reference:url,www.kb.cert.org/vuls/id/656593; classtype:attempted-user; sid:15287; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMClientVM Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|V|00|M|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14517; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ciansoft PDFBuilderX ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|E|00|7|00|C|00|7|00|F|00|8|00|-|00|7|00|1|00|E|00|2|00|-|00|4|00|9|00|8|00|A|00|-|00|A|00|B|00|2|00|8|00|-|00|A|00|3|00|D|00|7|00|2|00|F|00|C|00|7|00|4|00|4|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x00E\x007\x00C\x007\x00F\x008\x00-\x007\x001\x00E\x002\x00-\x004\x009\x008\x00A\x00-\x00A\x00B\x002\x008\x00-\x00A\x003\x00D\x007\x002\x00F\x00C\x007\x004\x004\x008\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33233; classtype:attempted-user; sid:15229; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.SystemReconfigur ActiveX function call unicode access"; flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|S|00|y|00|s|00|t|00|e|00|m|00|R|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14451; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Peachtree Accounting 2004 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|B|00|C|00|E|00|A|00|E|00|C|00|E|00|-|00|6|00|1|00|2|00|1|00|-|00|4|00|E|00|7|00|8|00|-|00|8|00|1|00|6|00|C|00|-|00|8|00|C|00|D|00|3|00|1|00|2|00|1|00|3|00|6|00|1|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00B\x00C\x00E\x00A\x00E\x00C\x00E\x00-\x006\x001\x002\x001\x00-\x004\x00E\x007\x008\x00-\x008\x001\x006\x00C\x00-\x008\x00C\x00D\x003\x001\x002\x001\x003\x006\x001\x00B\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,31096; reference:cve,2008-4699; classtype:attempted-user; sid:14595; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Autodesk LiveUpdate ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|9|00|E|00|C|00|7|00|9|00|2|00|1|00|-|00|7|00|2|00|9|00|B|00|-|00|4|00|1|00|1|00|6|00|-|00|A|00|8|00|1|00|9|00|-|00|D|00|F|00|8|00|6|00|A|00|4|00|A|00|5|00|7|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x009\x00E\x00C\x007\x009\x002\x001\x00-\x007\x002\x009\x00B\x00-\x004\x001\x001\x006\x00-\x00A\x008\x001\x009\x00-\x00D\x00F\x008\x006\x00A\x004\x00A\x005\x007\x007\x006\x00B\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31490; reference:cve,2008-4472; classtype:attempted-user; sid:14749; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Autodesk DWF Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|6|00|6|00|2|00|D|00|A|00|7|00|E|00|-|00|C|00|C|00|B|00|7|00|-|00|4|00|7|00|4|00|3|00|-|00|B|00|7|00|1|00|A|00|-|00|D|00|8|00|1|00|7|00|F|00|6|00|D|00|5|00|7|00|5|00|D|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x006\x006\x002\x00D\x00A\x007\x00E\x00-\x00C\x00C\x00B\x007\x00-\x004\x007\x004\x003\x00-\x00B\x007\x001\x00A\x00-\x00D\x008\x001\x007\x00F\x006\x00D\x005\x007\x005\x00D\x00F\x00(}\x00)?(?P=q5)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31487; reference:bugtraq,31490; reference:cve,2008-4471; reference:cve,2008-4472; classtype:attempted-user; sid:14747; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft PicturePusher ActiveX function call unicode access"; flow:established,to_client; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|D|00|I|00|G|00|.|00|P|00|i|00|c|00|t|00|u|00|r|00|e|00|P|00|u|00|s|00|h|00|e|00|r|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00I\x00G\x00.\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00P\x00u\x00s\x00h\x00e\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00I\x00G\x00.\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00P\x00u\x00s\x00h\x00e\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31632; reference:cve,2008-4493; classtype:attempted-user; sid:14640; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX function call unicode access"; flow:established,to_client; content:"A|00|x|00|N|00|a|00|l|00|S|00|e|00|r|00|v|00|e|00|r|00|.|00|C|00|A|00|x|00|N|00|a|00|l|00|W|00|e|00|b|00|I|00|n|00|t|00|e|00|r|00|f|00|a|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00x\x00N\x00a\x00l\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00C\x00A\x00x\x00N\x00a\x00l\x00W\x00e\x00b\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00x\x00N\x00a\x00l\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00C\x00A\x00x\x00N\x00a\x00l\x00W\x00e\x00b\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31435; reference:cve,2008-5073; classtype:attempted-user; sid:14755; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUpdates Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|p|00|d|00|a|00|t|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14533; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Nokia Phoenix Service 1 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|8|00|5|00|B|00|4|00|A|00|1|00|0|00|-|00|B|00|5|00|3|00|0|00|-|00|4|00|D|00|6|00|8|00|-|00|A|00|7|00|1|00|4|00|-|00|7|00|4|00|1|00|5|00|8|00|3|00|8|00|F|00|D|00|1|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x005\x00B\x004\x00A\x001\x000\x00-\x00B\x005\x003\x000\x00-\x004\x00D\x006\x008\x00-\x00A\x007\x001\x004\x00-\x007\x004\x001\x005\x008\x003\x008\x00F\x00D\x001\x007\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33726; classtype:attempted-user; sid:15331; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Chilkat Crypt 2 ActiveX function call unicode access"; flow:established,to_client; content:"C|00|h|00|i|00|l|00|k|00|a|00|t|00|C|00|r|00|y|00|p|00|t|00|2|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|C|00|r|00|y|00|p|00|t|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00(\.\x00\d\x00)?(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00(\.\x00\d\x00)?(?P=q18)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,32073; reference:cve,2008-5002; classtype:attempted-user; sid:15006; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Research In Motion AxLoader ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|7|00|8|00|8|00|D|00|E|00|0|00|8|00|-|00|3|00|5|00|5|00|2|00|-|00|4|00|9|00|E|00|A|00|-|00|A|00|C|00|8|00|C|00|-|00|2|00|3|00|3|00|D|00|A|00|5|00|2|00|5|00|2|00|3|00|B|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x008\x008\x00D\x00E\x000\x008\x00-\x003\x005\x005\x002\x00-\x004\x009\x00E\x00A\x00-\x00A\x00C\x008\x00C\x00-\x002\x003\x003\x00D\x00A\x005\x002\x005\x002\x003\x00B\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33663; reference:cve,2009-0305; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15312; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.GuestInfo ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|0|00|A|00|9|00|F|00|3|00|A|00|2|00|-|00|C|00|9|00|3|00|3|00|-|00|4|00|2|00|E|00|5|00|-|00|8|00|E|00|D|00|4|00|-|00|F|00|C|00|7|00|E|00|9|00|A|00|5|00|5|00|6|00|8|00|6|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x000\x00A\x009\x00F\x003\x00A\x002\x00-\x00C\x009\x003\x003\x00-\x004\x002\x00E\x005\x00-\x008\x00E\x00D\x004\x00-\x00F\x00C\x007\x00E\x009\x00A\x005\x005\x006\x008\x006\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14477; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CurrentVMCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|M|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00r\x00r\x00e\x00n\x00t\x00V\x00M\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00r\x00r\x00e\x00n\x00t\x00V\x00M\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14589; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|D|00|r|00|i|00|v|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14555; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SizerOne ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|3|00|1|00|5|00|B|00|0|00|5|00|9|00|-|00|E|00|D|00|D|00|7|00|-|00|4|00|C|00|6|00|6|00|-|00|9|00|3|00|3|00|C|00|-|00|E|00|C|00|F|00|F|00|5|00|B|00|9|00|D|00|D|00|5|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x001\x005\x00B\x000\x005\x009\x00-\x00E\x00D\x00D\x007\x00-\x004\x00C\x006\x006\x00-\x009\x003\x003\x00C\x00-\x00E\x00C\x00F\x00F\x005\x00B\x009\x00D\x00D\x005\x009\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:15193; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Synactis ALL In-The-Box ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|5|00|5|00|7|00|6|00|8|00|9|00|3|00|-|00|F|00|9|00|4|00|8|00|-|00|4|00|E|00|0|00|F|00|-|00|9|00|B|00|E|00|1|00|-|00|A|00|3|00|7|00|C|00|B|00|5|00|6|00|D|00|6|00|6|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x005\x005\x007\x006\x008\x009\x003\x00-\x00F\x009\x004\x008\x00-\x004\x00E\x000\x00F\x00-\x009\x00B\x00E\x001\x00-\x00A\x003\x007\x00C\x00B\x005\x006\x00D\x006\x006\x00F\x00F\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33535; reference:cve,2009-0465; classtype:attempted-user; sid:15347; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MksCompatCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"a|00|1|00|7|00|0|00|c|00|d|00|0|00|0|00|-|00|5|00|c|00|e|00|4|00|-|00|4|00|6|00|d|00|0|00|-|00|b|00|0|00|1|00|3|00|-|00|e|00|8|00|0|00|4|00|f|00|f|00|d|00|1|00|d|00|9|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*a\x001\x007\x000\x00c\x00d\x000\x000\x00-\x005\x00c\x00e\x004\x00-\x004\x006\x00d\x000\x00-\x00b\x000\x001\x003\x00-\x00e\x008\x000\x004\x00f\x00f\x00d\x001\x00d\x009\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14457; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PhotoStockPlus ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|4|00|8|00|B|00|B|00|4|00|1|00|6|00|-|00|C|00|5|00|7|00|8|00|-|00|4|00|A|00|6|00|2|00|-|00|8|00|4|00|C|00|9|00|-|00|5|00|E|00|3|00|3|00|8|00|9|00|A|00|B|00|E|00|5|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x004\x008\x00B\x00B\x004\x001\x006\x00-\x00C\x005\x007\x008\x00-\x004\x00A\x006\x002\x00-\x008\x004\x00C\x009\x00-\x005\x00E\x003\x003\x008\x009\x00A\x00B\x00E\x005\x00F\x00C\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,29279; reference:cve,2008-0957; reference:url,support.microsoft.com/kb/956391; classtype:attempted-user; sid:14634; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioInformation2 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|A|00|F|00|A|00|1|00|E|00|7|00|3|00|-|00|4|00|8|00|4|00|2|00|-|00|4|00|B|00|E|00|C|00|-|00|B|00|C|00|4|00|6|00|-|00|4|00|8|00|C|00|6|00|2|00|E|00|1|00|C|00|5|00|C|00|9|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x00F\x00A\x001\x00E\x007\x003\x00-\x004\x008\x004\x002\x00-\x004\x00B\x00E\x00C\x00-\x00B\x00C\x004\x006\x00-\x004\x008\x00C\x006\x002\x00E\x001\x00C\x005\x00C\x009\x00C\x00(}\x00)?(?P=q39)(?=\s\x00|>\x00)/siO"; reference:cve,2008-0959; reference:url,www.kb.cert.org/vuls/id/669265; classtype:attempted-user; sid:15289; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Web on Windows ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|4|00|1|00|E|00|9|00|D|00|4|00|7|00|-|00|9|00|F|00|5|00|2|00|-|00|1|00|1|00|D|00|6|00|-|00|9|00|6|00|7|00|2|00|-|00|0|00|0|00|8|00|0|00|C|00|8|00|8|00|B|00|3|00|6|00|1|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x001\x00E\x009\x00D\x004\x007\x00-\x009\x00F\x005\x002\x00-\x001\x001\x00D\x006\x00-\x009\x006\x007\x002\x00-\x000\x000\x008\x000\x00C\x008\x008\x00B\x003\x006\x001\x003\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33515; reference:cve,2009-0389; classtype:attempted-user; sid:15351; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FathFTP ActiveX function call unicode access"; flow:established,to_client; content:"F|00|a|00|t|00|h|00|F|00|T|00|P|00|.|00|F|00|a|00|t|00|h|00|F|00|T|00|P|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00a\x00t\x00h\x00F\x00T\x00P\x00.\x00F\x00a\x00t\x00h\x00F\x00T\x00P\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)F\x00a\x00t\x00h\x00F\x00T\x00P\x00.\x00F\x00a\x00t\x00h\x00F\x00T\x00P\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33842; classtype:attempted-user; sid:15371; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|5|00|6|00|9|00|D|00|7|00|1|00|5|00|-|00|F|00|F|00|8|00|8|00|-|00|4|00|4|00|B|00|A|00|-|00|8|00|D|00|1|00|D|00|-|00|A|00|D|00|3|00|E|00|5|00|9|00|5|00|4|00|3|00|D|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x005\x006\x009\x00D\x007\x001\x005\x00-\x00F\x00F\x008\x008\x00-\x004\x004\x00B\x00A\x00-\x008\x00D\x001\x00D\x00-\x00A\x00D\x003\x00E\x005\x009\x005\x004\x003\x00D\x00D\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,31227; reference:cve,2008-5089; classtype:attempted-user; sid:14604; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioFile2 ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|F|00|i|00|l|00|e|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q30)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q31)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,22196; reference:bugtraq,33469; reference:cve,2007-0018; reference:url,www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:15265; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NavigationCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|N|00|a|00|v|00|i|00|g|00|a|00|t|00|i|00|o|00|n|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00N\x00a\x00v\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00N\x00a\x00v\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14577; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMWare unspecified 22 ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|f|00|d|00|8|00|b|00|1|00|6|00|7|00|-|00|5|00|6|00|5|00|2|00|-|00|4|00|9|00|6|00|2|00|-|00|a|00|1|00|6|00|2|00|-|00|9|00|a|00|2|00|2|00|7|00|8|00|2|00|5|00|a|00|f|00|a|00|a|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00d\x008\x00b\x001\x006\x007\x00-\x005\x006\x005\x002\x00-\x004\x009\x006\x002\x00-\x00a\x001\x006\x002\x00-\x009\x00a\x002\x002\x007\x008\x002\x005\x00a\x00f\x00a\x00a\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14525; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMList Class ActiveX function call unicode access"; flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|L|00|i|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14581; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Nokia Phoenix Service 2 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|2|00|9|00|A|00|0|00|D|00|7|00|7|00|-|00|0|00|4|00|4|00|A|00|-|00|4|00|9|00|7|00|F|00|-|00|8|00|F|00|D|00|F|00|-|00|8|00|E|00|D|00|E|00|8|00|1|00|F|00|6|00|2|00|5|00|1|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x009\x00A\x000\x00D\x007\x007\x00-\x000\x004\x004\x00A\x00-\x004\x009\x007\x00F\x00-\x008\x00F\x00D\x00F\x00-\x008\x00E\x00D\x00E\x008\x001\x00F\x006\x002\x005\x001\x00A\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33726; classtype:attempted-user; sid:15333; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioGrabber2 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|4|00|A|00|2|00|6|00|1|00|F|00|9|00|-|00|F|00|C|00|3|00|4|00|-|00|4|00|7|00|F|00|8|00|-|00|A|00|3|00|5|00|C|00|-|00|7|00|5|00|F|00|B|00|7|00|3|00|B|00|B|00|1|00|3|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x004\x00A\x002\x006\x001\x00F\x009\x00-\x00F\x00C\x003\x004\x00-\x004\x007\x00F\x008\x00-\x00A\x003\x005\x00C\x00-\x007\x005\x00F\x00B\x007\x003\x00B\x00B\x001\x003\x005\x008\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/siO"; reference:cve,2008-0958; reference:url,www.kb.cert.org/vuls/id/656593; classtype:attempted-user; sid:15285; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Evans FTP ActiveX function call unicode access"; flow:established,to_client; content:"E|00|v|00|a|00|n|00|s|00|F|00|T|00|P|00|.|00|e|00|F|00|t|00|p|00|E|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00v\x00a\x00n\x00s\x00F\x00T\x00P\x00.\x00e\x00F\x00t\x00p\x00E\x00z\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00v\x00a\x00n\x00s\x00F\x00T\x00P\x00.\x00e\x00F\x00t\x00p\x00E\x00z\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,32814; classtype:attempted-user; sid:15162; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX function call unicode access"; flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|D|00|i|00|s|00|k|00|L|00|i|00|b|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14593; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbUpdates Class ActiveX clsid unicode access"; flow:established,to_client; content:"d|00|f|00|f|00|4|00|4|00|a|00|e|00|c|00|-|00|2|00|3|00|7|00|0|00|-|00|4|00|6|00|9|00|d|00|-|00|8|00|a|00|2|00|2|00|-|00|d|00|f|00|8|00|2|00|4|00|4|00|8|00|b|00|f|00|f|00|6|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00f\x004\x004\x00a\x00e\x00c\x00-\x002\x003\x007\x000\x00-\x004\x006\x009\x00d\x00-\x008\x00a\x002\x002\x00-\x00d\x00f\x008\x002\x004\x004\x008\x00b\x00f\x00f\x006\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14531; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NCTAudioInformation2 ActiveX function call unicode access"; flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|I|00|n|00|f|00|o|00|r|00|m|00|a|00|t|00|i|00|o|00|n|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|I|00|n|00|f|00|o|00|r|00|m|00|a|00|t|00|i|00|o|00|n|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00(\.\x00\d\x00)?(?P=q40)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00(\.\x00\d\x00)?(?P=q41)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-0959; reference:url,www.kb.cert.org/vuls/id/669265; classtype:attempted-user; sid:15291; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MetaProducts MetaTreeX ActiveX function call unicode access"; flow:established,to_client; content:"S|00|a|00|v|00|e|00|T|00|o|00|B|00|M|00|P|00|.|00|M|00|e|00|t|00|a|00|T|00|r|00|e|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00a\x00v\x00e\x00T\x00o\x00B\x00M\x00P\x00.\x00M\x00e\x00t\x00a\x00T\x00r\x00e\x00e\x00X\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00a\x00v\x00e\x00T\x00o\x00B\x00M\x00P\x00.\x00M\x00e\x00t\x00a\x00T\x00r\x00e\x00e\x00X\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33318; classtype:attempted-user; sid:15254; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 8200 ActiveX function call unicode access"; flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|8|00|2|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x002\x000\x000\x00(\.\x00\d\x00)?(?P=q20)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x002\x000\x000\x00(\.\x00\d\x00)?(?P=q21)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15345; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX FlexCell Grid ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|A|00|7|00|D|00|9|00|C|00|C|00|E|00|-|00|2|00|1|00|1|00|A|00|-|00|4|00|6|00|5|00|4|00|-|00|9|00|4|00|4|00|9|00|-|00|7|00|1|00|8|00|F|00|7|00|1|00|E|00|D|00|9|00|6|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00A\x007\x00D\x009\x00C\x00C\x00E\x00-\x002\x001\x001\x00A\x00-\x004\x006\x005\x004\x00-\x009\x004\x004\x009\x00-\x007\x001\x008\x00F\x007\x001\x00E\x00D\x009\x006\x004\x004\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33453; reference:cve,2009-0301; classtype:attempted-user; sid:15283; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|h|00|w|00|c|00|f|00|g|00|.|00|N|00|w|00|z|00|C|00|o|00|m|00|p|00|l|00|e|00|t|00|e|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00C\x00o\x00m\x00p\x00l\x00e\x00t\x00e\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00C\x00o\x00m\x00p\x00l\x00e\x00t\x00e\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14455; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft RSClientPrint ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|A|00|9|00|1|00|D|00|F|00|8|00|D|00|-|00|5|00|3|00|A|00|B|00|-|00|4|00|5|00|5|00|D|00|-|00|A|00|B|00|2|00|0|00|-|00|F|00|2|00|F|00|0|00|2|00|3|00|E|00|4|00|9|00|8|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x009\x001\x00D\x00F\x008\x00D\x00-\x005\x003\x00A\x00B\x00-\x004\x005\x005\x00D\x00-\x00A\x00B\x002\x000\x00-\x00F\x002\x00F\x000\x002\x003\x00E\x004\x009\x008\x00D\x003\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; reference:cve,2007-5348; reference:cve,2008-3012; reference:cve,2008-3013; reference:cve,2008-3014; reference:cve,2008-3015; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-052; classtype:attempted-user; sid:14636; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX function call unicode access"; flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|V|00|h|00|d|00|C|00|o|00|n|00|v|00|e|00|r|00|t|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00V\x00h\x00d\x00C\x00o\x00n\x00v\x00e\x00r\x00t\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00V\x00h\x00d\x00C\x00o\x00n\x00v\x00e\x00r\x00t\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14487; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|D|00|E|00|6|00|4|00|8|00|5|00|C|00|-|00|5|00|3|00|E|00|6|00|-|00|4|00|E|00|1|00|F|00|-|00|B|00|B|00|F|00|D|00|-|00|1|00|2|00|D|00|9|00|2|00|3|00|8|00|4|00|E|00|C|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00D\x00E\x006\x004\x008\x005\x00C\x00-\x005\x003\x00E\x006\x00-\x004\x00E\x001\x00F\x00-\x00B\x00B\x00F\x00D\x00-\x001\x002\x00D\x009\x002\x003\x008\x004\x00E\x00C\x00D\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14591; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Synactis ALL In-The-Box ActiveX function call unicode access"; flow:established,to_client; content:"A|00|l|00|l|00|_|00|I|00|n|00|_|00|T|00|h|00|e|00|_|00|B|00|o|00|x|00|.|00|A|00|l|00|l|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q25)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q26)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33535; reference:cve,2009-0465; classtype:attempted-user; sid:15349; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX reconfig.SystemReconfigur ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|E|00|D|00|5|00|A|00|5|00|B|00|3|00|-|00|C|00|8|00|D|00|4|00|-|00|4|00|5|00|9|00|7|00|-|00|B|00|0|00|8|00|2|00|-|00|4|00|8|00|7|00|0|00|0|00|8|00|D|00|7|00|5|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00E\x00D\x005\x00A\x005\x00B\x003\x00-\x00C\x008\x00D\x004\x00-\x004\x005\x009\x007\x00-\x00B\x000\x008\x002\x00-\x004\x008\x007\x000\x000\x008\x00D\x007\x005\x00E\x003\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14449; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NOS Microsystems / Adobe getPlus Download Manager ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|4|00|0|00|A|00|C|00|C|00|5|00|-|00|E|00|1|00|B|00|B|00|-|00|4|00|a|00|f|00|f|00|-|00|A|00|C|00|7|00|2|00|-|00|0|00|4|00|C|00|2|00|F|00|6|00|1|00|6|00|B|00|C|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x004\x000\x00A\x00C\x00C\x005\x00-\x00E\x001\x00B\x00B\x00-\x004\x00a\x00f\x00f\x00-\x00A\x00C\x007\x002\x00-\x000\x004\x00C\x002\x00F\x006\x001\x006\x00B\x00C\x00A\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32105; reference:cve,2008-4817; classtype:attempted-user; sid:15008; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbTreeCtl Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|v|00|m|00|d|00|b|00|T|00|r|00|e|00|e|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00v\x00m\x00d\x00b\x00T\x00r\x00e\x00e\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00v\x00m\x00d\x00b\x00T\x00r\x00e\x00e\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14547; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX iDefense COMRaider ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|A|00|0|00|7|00|7|00|D|00|0|00|D|00|-|00|B|00|4|00|A|00|6|00|-|00|4|00|E|00|C|00|0|00|-|00|B|00|6|00|C|00|F|00|-|00|9|00|8|00|5|00|2|00|6|00|D|00|F|00|5|00|8|00|9|00|E|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00A\x000\x007\x007\x00D\x000\x00D\x00-\x00B\x004\x00A\x006\x00-\x004\x00E\x00C\x000\x00-\x00B\x006\x00C\x00F\x00-\x009\x008\x005\x002\x006\x00D\x00F\x005\x008\x009\x00E\x004\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33867; classtype:attempted-user; sid:15373; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX function call unicode access"; flow:established,to_client; content:"D|00|a|00|r|00|t|00|.|00|F|00|t|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00a\x00r\x00t\x00.\x00F\x00t\x00p\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00a\x00r\x00t\x00.\x00F\x00t\x00p\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31814; reference:cve,2008-4652; classtype:attempted-user; sid:14781; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Elevated.VMXCreator ActiveX function call unicode access"; flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|V|00|M|00|X|00|C|00|r|00|e|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00V\x00M\x00X\x00C\x00r\x00e\x00a\x00t\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00V\x00M\x00X\x00C\x00r\x00e\x00a\x00t\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14523; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX JamDTA ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|B|00|8|00|F|00|9|00|D|00|C|00|9|00|-|00|A|00|9|00|9|00|C|00|-|00|4|00|0|00|A|00|D|00|-|00|B|00|E|00|4|00|0|00|-|00|8|00|8|00|D|00|D|00|E|00|9|00|2|00|B|00|A|00|C|00|4|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x008\x00F\x009\x00D\x00C\x009\x00-\x00A\x009\x009\x00C\x00-\x004\x000\x00A\x00D\x00-\x00B\x00E\x004\x000\x00-\x008\x008\x00D\x00D\x00E\x009\x002\x00B\x00A\x00C\x004\x001\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33345; classtype:attempted-user; sid:15248; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX MW6 Technologies Barcode ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|4|00|D|00|0|00|9|00|6|00|8|00|8|00|-|00|C|00|F|00|A|00|7|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|9|00|5|00|A|00|-|00|0|00|0|00|5|00|0|00|0|00|4|00|C|00|E|00|5|00|6|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x004\x00D\x000\x009\x006\x008\x008\x00-\x00C\x00F\x00A\x007\x00-\x001\x001\x00D\x005\x00-\x009\x009\x005\x00A\x00-\x000\x000\x005\x000\x000\x004\x00C\x00E\x005\x006\x003\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33451; reference:cve,2008-4924; reference:cve,2009-0298; classtype:attempted-user; sid:15267; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Akamai DownloadManager ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|F|00|B|00|B|00|3|00|F|00|3|00|B|00|-|00|0|00|A|00|5|00|A|00|-|00|4|00|1|00|0|00|6|00|-|00|B|00|E|00|5|00|3|00|-|00|D|00|F|00|E|00|1|00|E|00|2|00|3|00|4|00|0|00|C|00|B|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00F\x00B\x00B\x003\x00F\x003\x00B\x00-\x000\x00A\x005\x00A\x00-\x004\x001\x000\x006\x00-\x00B\x00E\x005\x003\x00-\x00D\x00F\x00E\x001\x00E\x002\x003\x004\x000\x00C\x00B\x001\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; reference:url,support.microsoft.com/kb/960715; classtype:attempted-user; sid:15316; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Nwz Class ActiveX function call unicode access"; flow:established,to_client; content:"v|00|m|00|h|00|w|00|c|00|f|00|g|00|.|00|N|00|w|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14551; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Web on Windows ActiveX function call unicode access"; flow:established,to_client; content:"A|00|l|00|l|00|_|00|I|00|n|00|_|00|T|00|h|00|e|00|_|00|B|00|o|00|x|00|.|00|A|00|l|00|l|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q30)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q31)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,33515; reference:cve,2009-0389; classtype:attempted-user; sid:15353; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GeoVision LiveX 7000 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|A|00|8|00|4|00|8|00|4|00|D|00|E|00|-|00|5|00|2|00|D|00|B|00|-|00|4|00|8|00|6|00|0|00|-|00|A|00|9|00|8|00|6|00|-|00|6|00|1|00|A|00|8|00|6|00|8|00|2|00|E|00|2|00|9|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x008\x004\x008\x004\x00D\x00E\x00-\x005\x002\x00D\x00B\x00-\x004\x008\x006\x000\x00-\x00A\x009\x008\x006\x00-\x006\x001\x00A\x008\x006\x008\x002\x00E\x002\x009\x008\x00A\x00(}\x00)?(?P=q9)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33782; reference:cve,2009-0865; classtype:attempted-user; sid:15335; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX function call unicode access"; flow:established,to_client; content:"C|00|r|00|a|00|s|00|h|00|H|00|a|00|n|00|g|00|E|00|x|00|t|00|.|00|U|00|t|00|i|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00r\x00a\x00s\x00h\x00H\x00a\x00n\x00g\x00E\x00x\x00t\x00.\x00U\x00t\x00i\x00l\x00s\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00r\x00a\x00s\x00h\x00H\x00a\x00n\x00g\x00E\x00x\x00t\x00.\x00U\x00t\x00i\x00l\x00s\x00(\.\x00\d\x00)?(?P=q13)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,31996; reference:cve,2008-4800; classtype:attempted-user; sid:15002; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VMList Class ActiveX clsid unicode access"; flow:established,to_client; content:"f|00|7|00|6|00|e|00|4|00|7|00|9|00|9|00|-|00|3|00|7|00|9|00|b|00|-|00|4|00|3|00|6|00|2|00|-|00|b|00|c|00|c|00|4|00|-|00|6|00|8|00|b|00|7|00|5|00|3|00|d|00|1|00|0|00|7|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x007\x006\x00e\x004\x007\x009\x009\x00-\x003\x007\x009\x00b\x00-\x004\x003\x006\x002\x00-\x00b\x00c\x00c\x004\x00-\x006\x008\x00b\x007\x005\x003\x00d\x001\x000\x007\x004\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14579; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VmdbTreeCtl Class ActiveX clsid unicode access"; flow:established,to_client; content:"e|00|6|00|6|00|9|00|5|00|4|00|7|00|d|00|-|00|a|00|e|00|5|00|2|00|-|00|4|00|5|00|9|00|f|00|-|00|9|00|c|00|0|00|7|00|-|00|c|00|c|00|5|00|f|00|1|00|7|00|b|00|4|00|b|00|1|00|6|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x006\x006\x009\x005\x004\x007\x00d\x00-\x00a\x00e\x005\x002\x00-\x004\x005\x009\x00f\x00-\x009\x00c\x000\x007\x00-\x00c\x00c\x005\x00f\x001\x007\x00b\x004\x00b\x001\x006\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14545; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX function call unicode access"; flow:established,to_client; content:"E|00|P|00|U|00|W|00|a|00|l|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|E|00|P|00|U|00|I|00|m|00|a|00|g|00|e|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00P\x00U\x00W\x00a\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00E\x00P\x00U\x00I\x00m\x00a\x00g\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00P\x00U\x00W\x00a\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00E\x00P\x00U\x00I\x00m\x00a\x00g\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q8)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15550; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|C|00|3|00|9|00|3|00|7|00|6|00|E|00|-|00|F|00|A|00|9|00|D|00|-|00|4|00|3|00|4|00|9|00|-|00|B|00|A|00|C|00|C|00|-|00|D|00|3|00|0|00|5|00|C|00|1|00|7|00|5|00|0|00|E|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00C\x003\x009\x003\x007\x006\x00E\x00-\x00F\x00A\x009\x00D\x00-\x004\x003\x004\x009\x00-\x00B\x00A\x00C\x00C\x00-\x00D\x003\x000\x005\x00C\x001\x007\x005\x000\x00E\x00F\x003\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15548; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX eBay Picture Uploads control 2 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|3|00|E|00|B|00|1|00|6|00|7|00|0|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|E|00|D|00|A|00|-|00|B|00|5|00|7|00|0|00|-|00|0|00|B|00|5|00|1|00|A|00|A|00|E|00|8|00|1|00|6|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x003\x00E\x00B\x001\x006\x007\x000\x00-\x008\x004\x00E\x000\x00-\x004\x00E\x00D\x00A\x00-\x00B\x005\x007\x000\x00-\x000\x00B\x005\x001\x00A\x00A\x00E\x008\x001\x006\x007\x009\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15552; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Communications Control v6 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|4|00|8|00|A|00|5|00|6|00|0|00|0|00|-|00|2|00|C|00|6|00|E|00|-|00|1|00|0|00|1|00|B|00|-|00|8|00|2|00|B|00|6|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x004\x008\x00A\x005\x006\x000\x000\x00-\x002\x00C\x006\x00E\x00-\x001\x000\x001\x00B\x00-\x008\x002\x00B\x006\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x001\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15544; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Communications Control v6 ActiveX function call unicode access"; flow:established,to_client; content:"M|00|S|00|C|00|O|00|M|00|M|00|L|00|i|00|b|00|.|00|M|00|S|00|C|00|o|00|m|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00C\x00O\x00M\x00M\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00o\x00m\x00m\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00C\x00O\x00M\x00M\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00o\x00m\x00m\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,support.microsoft.com/kb/969898; classtype:attempted-user; sid:15546; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP AG SAPgui EnjoySAP ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|6|00|9|00|0|00|8|00|F|00|8|00|3|00|-|00|A|00|D|00|A|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|A|00|A|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|1|00|9|00|8|00|7|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x006\x009\x000\x008\x00F\x008\x003\x00-\x00A\x00D\x00A\x006\x00-\x001\x001\x00D\x000\x00-\x008\x007\x00A\x00A\x00-\x000\x000\x00A\x00A\x000\x000\x001\x009\x008\x007\x000\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,35256; classtype:attempted-user; sid:15558; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 18 ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|7|00|7|00|F|00|A|00|A|00|1|00|8|00|-|00|4|00|5|00|1|00|8|00|-|00|4|00|4|00|5|00|E|00|-|00|8|00|F|00|7|00|0|00|-|00|1|00|4|00|7|00|3|00|F|00|8|00|C|00|F|00|4|00|B|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x007\x007\x00F\x00A\x00A\x001\x008\x00-\x004\x005\x001\x008\x00-\x004\x004\x005\x00E\x00-\x008\x00F\x007\x000\x00-\x001\x004\x007\x003\x00F\x008\x00C\x00F\x004\x00B\x00A\x004\x00(}\x00)?(?P=q20)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15607; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 43 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|0|00|2|00|A|00|A|00|C|00|5|00|0|00|-|00|0|00|2|00|7|00|E|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x000\x002\x00A\x00A\x00C\x005\x000\x00-\x000\x002\x007\x00E\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q76)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15663; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 40 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|D|00|0|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00D\x000\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q70)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15657; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 9 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|C|00|1|00|5|00|D|00|4|00|8|00|4|00|-|00|9|00|1|00|1|00|D|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00C\x001\x005\x00D\x004\x008\x004\x00-\x009\x001\x001\x00D\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x002\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q90)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15677; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 28 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|3|00|0|00|7|00|4|00|E|00|-|00|6|00|C|00|3|00|D|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x00E\x003\x000\x007\x004\x00E\x00-\x006\x00C\x003\x00D\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q42)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15629; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 11 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|C|00|6|00|3|00|E|00|4|00|E|00|B|00|-|00|4|00|C|00|E|00|A|00|-|00|4|00|1|00|B|00|8|00|-|00|9|00|1|00|9|00|C|00|-|00|E|00|9|00|4|00|7|00|E|00|A|00|1|00|9|00|A|00|7|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00C\x006\x003\x00E\x004\x00E\x00B\x00-\x004\x00C\x00E\x00A\x00-\x004\x001\x00B\x008\x00-\x009\x001\x009\x00C\x00-\x00E\x009\x004\x007\x00E\x00A\x001\x009\x00A\x007\x007\x00C\x00(}\x00)?(?P=q6)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15593; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 4 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|3|00|6|00|9|00|B|00|4|00|E|00|6|00|-|00|4|00|5|00|B|00|6|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x006\x009\x00B\x004\x00E\x006\x00-\x004\x005\x00B\x006\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q68)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15655; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 42 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|A|00|A|00|F|00|D|00|D|00|8|00|3|00|-|00|C|00|E|00|F|00|C|00|-|00|4|00|E|00|3|00|D|00|-|00|B|00|A|00|0|00|3|00|-|00|1|00|7|00|5|00|F|00|1|00|7|00|A|00|2|00|4|00|F|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x00A\x00F\x00D\x00D\x008\x003\x00-\x00C\x00E\x00F\x00C\x00-\x004\x00E\x003\x00D\x00-\x00B\x00A\x000\x003\x00-\x001\x007\x005\x00F\x001\x007\x00A\x002\x004\x00F\x009\x001\x00(}\x00)?(?P=q74)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15661; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 12 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|3|00|4|00|1|00|2|00|5|00|C|00|0|00|-|00|7|00|7|00|E|00|5|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x003\x004\x001\x002\x005\x00C\x000\x00-\x007\x007\x00E\x005\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q8)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15595; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 21 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|2|00|3|00|5|00|3|00|5|00|A|00|0|00|-|00|0|00|3|00|1|00|8|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x002\x003\x005\x003\x005\x00A\x000\x00-\x000\x003\x001\x008\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q28)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15615; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 45 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|A|00|7|00|C|00|3|00|7|00|5|00|B|00|-|00|6|00|6|00|A|00|7|00|-|00|4|00|2|00|8|00|0|00|-|00|8|00|7|00|9|00|D|00|-|00|F|00|D|00|4|00|5|00|9|00|C|00|8|00|4|00|B|00|B|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x007\x00C\x003\x007\x005\x00B\x00-\x006\x006\x00A\x007\x00-\x004\x002\x008\x000\x00-\x008\x007\x009\x00D\x00-\x00F\x00D\x004\x005\x009\x00C\x008\x004\x00B\x00B\x000\x002\x00(}\x00)?(?P=q80)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15667; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 24 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|A|00|6|00|7|00|4|00|B|00|4|00|D|00|-|00|1|00|F|00|6|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00A\x006\x007\x004\x00B\x004\x00D\x00-\x001\x00F\x006\x003\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q34)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15621; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 34 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|B|00|5|00|3|00|0|00|C|00|6|00|3|00|-|00|D|00|9|00|D|00|F|00|-|00|4|00|B|00|4|00|9|00|-|00|9|00|4|00|3|00|9|00|-|00|6|00|3|00|4|00|5|00|3|00|9|00|6|00|2|00|E|00|5|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00B\x005\x003\x000\x00C\x006\x003\x00-\x00D\x009\x00D\x00F\x00-\x004\x00B\x004\x009\x00-\x009\x004\x003\x009\x00-\x006\x003\x004\x005\x003\x009\x006\x002\x00E\x005\x009\x008\x00(}\x00)?(?P=q56)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15643; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 31 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|D|00|8|00|E|00|5|00|1|00|0|00|D|00|-|00|2|00|1|00|7|00|F|00|-|00|4|00|0|00|9|00|B|00|-|00|8|00|0|00|7|00|6|00|-|00|2|00|9|00|C|00|5|00|E|00|7|00|3|00|B|00|9|00|8|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00D\x008\x00E\x005\x001\x000\x00D\x00-\x002\x001\x007\x00F\x00-\x004\x000\x009\x00B\x00-\x008\x000\x007\x006\x00-\x002\x009\x00C\x005\x00E\x007\x003\x00B\x009\x008\x00E\x008\x00(}\x00)?(?P=q50)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15637; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 1 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|1|00|1|00|B|00|3|00|6|00|1|00|9|00|-|00|F|00|E|00|6|00|3|00|-|00|4|00|8|00|1|00|4|00|-|00|8|00|A|00|8|00|4|00|-|00|1|00|5|00|A|00|1|00|9|00|4|00|C|00|E|00|9|00|C|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x001\x00B\x003\x006\x001\x009\x00-\x00F\x00E\x006\x003\x00-\x004\x008\x001\x004\x00-\x008\x00A\x008\x004\x00-\x001\x005\x00A\x001\x009\x004\x00C\x00E\x009\x00C\x00E\x003\x00(}\x00)?(?P=q2)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15589; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 2 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|1|00|4|00|9|00|E|00|E|00|D|00|F|00|-|00|D|00|0|00|8|00|F|00|-|00|4|00|1|00|4|00|2|00|-|00|8|00|D|00|7|00|3|00|-|00|D|00|2|00|3|00|9|00|0|00|3|00|D|00|2|00|1|00|E|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x004\x009\x00E\x00E\x00D\x00F\x00-\x00D\x000\x008\x00F\x00-\x004\x001\x004\x002\x00-\x008\x00D\x007\x003\x00-\x00D\x002\x003\x009\x000\x003\x00D\x002\x001\x00E\x009\x000\x00(}\x00)?(?P=q24)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15611; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 17 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|A|00|5|00|8|00|6|00|9|00|C|00|F|00|-|00|9|00|2|00|9|00|D|00|-|00|4|00|0|00|4|00|0|00|-|00|A|00|E|00|0|00|3|00|-|00|F|00|C|00|A|00|F|00|C|00|5|00|B|00|9|00|C|00|D|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00A\x005\x008\x006\x009\x00C\x00F\x00-\x009\x002\x009\x00D\x00-\x004\x000\x004\x000\x00-\x00A\x00E\x000\x003\x00-\x00F\x00C\x00A\x00F\x00C\x005\x00B\x009\x00C\x00D\x004\x002\x00(}\x00)?(?P=q18)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15605; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 13 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|3|00|C|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x003\x00C\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q10)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15597; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 33 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|6|00|4|00|0|00|1|00|6|00|F|00|3|00|-|00|C|00|9|00|A|00|2|00|-|00|4|00|0|00|6|00|6|00|-|00|9|00|6|00|F|00|0|00|-|00|B|00|D|00|9|00|5|00|6|00|3|00|3|00|1|00|4|00|7|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x006\x004\x000\x001\x006\x00F\x003\x00-\x00C\x009\x00A\x002\x00-\x004\x000\x006\x006\x00-\x009\x006\x00F\x000\x00-\x00B\x00D\x009\x005\x006\x003\x003\x001\x004\x007\x002\x006\x00(}\x00)?(?P=q54)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15641; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 14 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|4|00|3|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x004\x003\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q12)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15599; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 32 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|0|00|E|00|D|00|F|00|1|00|6|00|3|00|-|00|9|00|1|00|0|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x00E\x00D\x00F\x001\x006\x003\x00-\x009\x001\x000\x00A\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x002\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; reference:cve,2008-0015; reference:cve,2009-2493; reference:cve,2009-2494; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:15639; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 41 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|6|00|B|00|1|00|4|00|B|00|3|00|2|00|-|00|7|00|6|00|A|00|A|00|-|00|4|00|A|00|8|00|6|00|-|00|A|00|7|00|A|00|C|00|-|00|5|00|C|00|7|00|9|00|A|00|A|00|F|00|5|00|8|00|D|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x006\x00B\x001\x004\x00B\x003\x002\x00-\x007\x006\x00A\x00A\x00-\x004\x00A\x008\x006\x00-\x00A\x007\x00A\x00C\x00-\x005\x00C\x007\x009\x00A\x00A\x00F\x005\x008\x00D\x00A\x007\x00(}\x00)?(?P=q72)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15659; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 36 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|C|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00C\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q60)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15647; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 3 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|3|00|6|00|9|00|B|00|4|00|E|00|5|00|-|00|4|00|5|00|B|00|6|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x006\x009\x00B\x004\x00E\x005\x00-\x004\x005\x00B\x006\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q46)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15633; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 22 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|8|00|7|00|2|00|F|00|F|00|1|00|B|00|-|00|9|00|8|00|F|00|A|00|-|00|4|00|D|00|7|00|A|00|-|00|8|00|D|00|9|00|3|00|-|00|C|00|9|00|F|00|1|00|0|00|5|00|5|00|F|00|8|00|5|00|B|00|B|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x008\x007\x002\x00F\x00F\x001\x00B\x00-\x009\x008\x00F\x00A\x00-\x004\x00D\x007\x00A\x00-\x008\x00D\x009\x003\x00-\x00C\x009\x00F\x001\x000\x005\x005\x00F\x008\x005\x00B\x00B\x00(}\x00)?(?P=q30)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15617; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 35 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|3|00|1|00|D|00|9|00|F|00|D|00|-|00|9|00|6|00|8|00|5|00|-|00|4|00|0|00|2|00|8|00|-|00|8|00|B|00|6|00|8|00|-|00|6|00|E|00|1|00|2|00|3|00|2|00|0|00|7|00|9|00|F|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x003\x001\x00D\x009\x00F\x00D\x00-\x009\x006\x008\x005\x00-\x004\x000\x002\x008\x00-\x008\x00B\x006\x008\x00-\x006\x00E\x001\x002\x003\x002\x000\x007\x009\x00F\x001\x00E\x00(}\x00)?(?P=q58)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15645; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 25 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|C|00|D|00|6|00|4|00|7|00|0|00|1|00|-|00|B|00|D|00|F|00|3|00|-|00|4|00|D|00|1|00|4|00|-|00|8|00|E|00|0|00|3|00|-|00|F|00|1|00|2|00|9|00|8|00|3|00|D|00|8|00|6|00|6|00|6|00|4|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00C\x00D\x006\x004\x007\x000\x001\x00-\x00B\x00D\x00F\x003\x00-\x004\x00D\x001\x004\x00-\x008\x00E\x000\x003\x00-\x00F\x001\x002\x009\x008\x003\x00D\x008\x006\x006\x006\x004\x00(}\x00)?(?P=q36)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15623; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 37 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|D|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00D\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q62)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15649; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 19 ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|9|00|D|00|C|00|4|00|7|00|A|00|8|00|-|00|1|00|1|00|6|00|C|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x009\x00D\x00C\x004\x007\x00A\x008\x00-\x001\x001\x006\x00C\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q22)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15609; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 30 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|8|00|D|00|C|00|F|00|3|00|D|00|5|00|-|00|0|00|7|00|8|00|0|00|-|00|4|00|E|00|F|00|4|00|-|00|8|00|A|00|8|00|3|00|-|00|2|00|C|00|F|00|F|00|A|00|A|00|C|00|B|00|8|00|A|00|C|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x008\x00D\x00C\x00F\x003\x00D\x005\x00-\x000\x007\x008\x000\x00-\x004\x00E\x00F\x004\x00-\x008\x00A\x008\x003\x00-\x002\x00C\x00F\x00F\x00A\x00A\x00C\x00B\x008\x00A\x00C\x00E\x00(}\x00)?(?P=q48)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15635; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 10 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|D|00|F|00|7|00|D|00|1|00|2|00|6|00|-|00|4|00|0|00|5|00|0|00|-|00|4|00|7|00|F|00|0|00|-|00|A|00|7|00|C|00|F|00|-|00|4|00|C|00|4|00|C|00|A|00|9|00|2|00|4|00|1|00|3|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00D\x00F\x007\x00D\x001\x002\x006\x00-\x004\x000\x005\x000\x00-\x004\x007\x00F\x000\x00-\x00A\x007\x00C\x00F\x00-\x004\x00C\x004\x00C\x00A\x009\x002\x004\x001\x003\x003\x003\x00(}\x00)?(?P=q4)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15591; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 39 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|F|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00F\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q66)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15653; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 15 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|4|00|4|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x004\x004\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q14)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15601; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 44 ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|9|00|7|00|6|00|9|00|A|00|0|00|6|00|-|00|7|00|A|00|C|00|A|00|-|00|4|00|E|00|3|00|9|00|-|00|9|00|C|00|F|00|B|00|-|00|9|00|7|00|B|00|B|00|3|00|5|00|F|00|0|00|E|00|7|00|7|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x009\x007\x006\x009\x00A\x000\x006\x00-\x007\x00A\x00C\x00A\x00-\x004\x00E\x003\x009\x00-\x009\x00C\x00F\x00B\x00-\x009\x007\x00B\x00B\x003\x005\x00F\x000\x00E\x007\x007\x00E\x00(}\x00)?(?P=q78)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15665; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 20 ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|F|00|9|00|C|00|B|00|1|00|4|00|D|00|-|00|4|00|8|00|E|00|4|00|-|00|4|00|3|00|B|00|6|00|-|00|9|00|3|00|4|00|6|00|-|00|1|00|A|00|E|00|B|00|C|00|3|00|9|00|C|00|6|00|4|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00F\x009\x00C\x00B\x001\x004\x00D\x00-\x004\x008\x00E\x004\x00-\x004\x003\x00B\x006\x00-\x009\x003\x004\x006\x00-\x001\x00A\x00E\x00B\x00C\x003\x009\x00C\x006\x004\x00D\x003\x00(}\x00)?(?P=q26)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15613; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 27 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|1|00|A|00|2|00|B|00|1|00|C|00|4|00|-|00|0|00|E|00|3|00|A|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00A\x002\x00B\x001\x00C\x004\x00-\x000\x00E\x003\x00A\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q40)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15627; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 5 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|5|00|5|00|C|00|B|00|2|00|D|00|7|00|-|00|2|00|9|00|6|00|9|00|-|00|4|00|5|00|C|00|D|00|-|00|9|00|1|00|4|00|B|00|-|00|7|00|6|00|8|00|9|00|0|00|7|00|2|00|2|00|F|00|1|00|1|00|2|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x005\x005\x00C\x00B\x002\x00D\x007\x00-\x002\x009\x006\x009\x00-\x004\x005\x00C\x00D\x00-\x009\x001\x004\x00B\x00-\x007\x006\x008\x009\x000\x007\x002\x002\x00F\x001\x001\x002\x00(}\x00)?(?P=q82)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15669; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 29 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|2|00|E|00|3|00|0|00|7|00|5|00|0|00|-|00|6|00|C|00|3|00|D|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x00E\x003\x000\x007\x005\x000\x00-\x006\x00C\x003\x00D\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q44)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15631; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 38 ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|E|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00E\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q64)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15651; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 8 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|B|00|E|00|4|00|9|00|F|00|3|00|0|00|-|00|0|00|E|00|1|00|B|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00B\x00E\x004\x009\x00F\x003\x000\x00-\x000\x00E\x001\x00B\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q88)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15675; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 23 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|A|00|6|00|7|00|4|00|B|00|4|00|C|00|-|00|1|00|F|00|6|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00A\x006\x007\x004\x00B\x004\x00C\x00-\x001\x00F\x006\x003\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q32)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15619; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 26 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|E|00|7|00|7|00|A|00|A|00|C|00|4|00|-|00|3|00|5|00|E|00|5|00|-|00|4|00|2|00|A|00|1|00|-|00|B|00|D|00|C|00|2|00|-|00|8|00|F|00|3|00|F|00|F|00|3|00|9|00|9|00|8|00|4|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00E\x007\x007\x00A\x00A\x00C\x004\x00-\x003\x005\x00E\x005\x00-\x004\x002\x00A\x001\x00-\x00B\x00D\x00C\x002\x00-\x008\x00F\x003\x00F\x00F\x003\x009\x009\x008\x004\x007\x00C\x00(}\x00)?(?P=q38)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15625; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 16 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|1|00|8|00|0|00|0|00|8|00|F|00|3|00|-|00|C|00|F|00|6|00|7|00|-|00|4|00|6|00|6|00|8|00|-|00|9|00|6|00|2|00|8|00|-|00|1|00|0|00|D|00|C|00|5|00|2|00|B|00|E|00|1|00|D|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x008\x000\x000\x008\x00F\x003\x00-\x00C\x00F\x006\x007\x00-\x004\x006\x006\x008\x00-\x009\x006\x002\x008\x00-\x001\x000\x00D\x00C\x005\x002\x00B\x00E\x001\x00D\x000\x008\x00(}\x00)?(?P=q16)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15603; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components Spreadsheet ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|1|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x001\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:cve,2009-1534; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15859; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components Datasource ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|4|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x004\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2009-0562; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15853; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX function call unicode access"; flow:established,to_client; content:"O|00|W|00|C|00|1|00|0|00|.|00|S|00|p|00|r|00|e|00|a|00|d|00|s|00|h|00|e|00|e|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2002-0727; reference:cve,2002-0861; reference:cve,2009-1136; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-044; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15856; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AcerCtrls.APlunch ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|8|00|9|00|5|00|D|00|D|00|3|00|5|00|-|00|7|00|5|00|7|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|E|00|D|00|-|00|0|00|0|00|6|00|0|00|6|00|7|00|3|00|0|00|D|00|3|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x009\x005\x00D\x00D\x003\x005\x00-\x007\x005\x007\x003\x00-\x001\x001\x00D\x002\x00-\x008\x00F\x00E\x00D\x00-\x000\x000\x006\x000\x006\x007\x003\x000\x00D\x003\x00A\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2627; reference:url,www.kb.cert.org/vuls/id/485961; classtype:attempted-user; sid:15879; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DHTML Editing ActiveX function call unicode access"; flow:established,to_client; content:"D|00|H|00|T|00|M|00|L|00|S|00|a|00|f|00|e|00|.|00|D|00|H|00|T|00|M|00|L|00|S|00|a|00|f|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00.\x00D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00.\x00D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:15925; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DHTML Editing ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|D|00|3|00|6|00|0|00|2|00|0|00|1|00|-|00|F|00|F|00|F|00|5|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|D|00|0|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|5|00|9|00|B|00|C|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00D\x003\x006\x000\x002\x000\x001\x00-\x00F\x00F\x00F\x005\x00-\x001\x001\x00d\x001\x00-\x008\x00D\x000\x003\x00-\x000\x000\x00A\x000\x00C\x009\x005\x009\x00B\x00C\x000\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,116; reference:bugtraq,12602; reference:bugtraq,1474; reference:cve,1999-0487; reference:cve,2005-0500; reference:cve,2009-2519; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-011; classtype:attempted-user; sid:15923; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PPStream PPSMediaList ActiveX function call unicode access"; flow:established,to_client; content:"P|00|P|00|S|00|M|00|E|00|D|00|I|00|A|00|L|00|I|00|S|00|T|00|.|00|P|00|P|00|S|00|M|00|e|00|d|00|i|00|a|00|L|00|i|00|s|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00P\x00S\x00M\x00E\x00D\x00I\x00A\x00L\x00I\x00S\x00T\x00.\x00P\x00P\x00S\x00M\x00e\x00d\x00i\x00a\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)P\x00P\x00S\x00M\x00E\x00D\x00I\x00A\x00L\x00I\x00S\x00T\x00.\x00P\x00P\x00S\x00M\x00e\x00d\x00i\x00a\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,36234; classtype:attempted-user; sid:15929; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX PPStream PPSMediaList ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|2|00|2|00|D|00|E|00|7|00|4|00|2|00|-|00|0|00|4|00|C|00|D|00|-|00|4|00|B|00|5|00|C|00|-|00|A|00|8|00|A|00|3|00|-|00|8|00|2|00|A|00|B|00|3|00|D|00|A|00|E|00|C|00|4|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x002\x002\x00D\x00E\x007\x004\x002\x00-\x000\x004\x00C\x00D\x00-\x004\x00B\x005\x00C\x00-\x00A\x008\x00A\x003\x00-\x008\x002\x00A\x00B\x003\x00D\x00A\x00E\x00C\x004\x003\x00D\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,36234; classtype:attempted-user; sid:15927; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 3 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|5|00|7|00|2|00|1|00|a|00|5|00|3|00|-|00|8|00|4|00|4|00|8|00|-|00|4|00|7|00|3|00|1|00|-|00|8|00|b|00|f|00|c|00|-|00|e|00|d|00|1|00|1|00|e|00|1|00|2|00|8|00|e|00|4|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x005\x007\x002\x001\x00a\x005\x003\x00-\x008\x004\x004\x008\x00-\x004\x007\x003\x001\x00-\x008\x00b\x00f\x00c\x00-\x00e\x00d\x001\x001\x00e\x001\x002\x008\x00e\x004\x004\x004\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16164; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 2 ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|B|00|6|00|4|00|0|00|C|00|8|00|6|00|-|00|7|00|3|00|1|00|C|00|-|00|4|00|8|00|4|00|A|00|-|00|A|00|A|00|A|00|F|00|-|00|7|00|5|00|0|00|6|00|5|00|6|00|C|00|9|00|1|00|8|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00B\x006\x004\x000\x00C\x008\x006\x00-\x007\x003\x001\x00C\x00-\x004\x008\x004\x00A\x00-\x00A\x00A\x00A\x00F\x00-\x007\x005\x000\x006\x005\x006\x00C\x009\x001\x008\x007\x00D\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16162; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 1 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|7|00|A|00|3|00|D|00|3|00|2|00|8|00|-|00|D|00|2|00|0|00|6|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|D|00|3|00|3|00|-|00|1|00|A|00|A|00|3|00|9|00|B|00|1|00|3|00|3|00|9|00|4|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x00A\x003\x00D\x003\x002\x008\x00-\x00D\x002\x000\x006\x00-\x004\x001\x000\x006\x00-\x008\x00D\x003\x003\x00-\x001\x00A\x00A\x003\x009\x00B\x001\x003\x003\x009\x004\x00B\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16160; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 4 ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|2|00|6|00|7|00|1|00|2|00|3|00|E|00|-|00|5|00|3|00|0|00|D|00|-|00|4|00|E|00|7|00|3|00|-|00|9|00|D|00|A|00|7|00|-|00|7|00|9|00|F|00|0|00|1|00|D|00|8|00|6|00|A|00|8|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x002\x006\x007\x001\x002\x003\x00E\x00-\x005\x003\x000\x00D\x00-\x004\x00E\x007\x003\x00-\x009\x00D\x00A\x007\x00-\x007\x009\x00F\x000\x001\x00D\x008\x006\x00A\x008\x009\x00F\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2493; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-072; classtype:attempted-user; sid:16166; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX function call unicode access"; flow:established,to_client; content:"A|00|l|00|t|00|i|00|r|00|i|00|s|00|.|00|A|00|e|00|X|00|N|00|S|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00|U|00|t|00|i|00|l|00|i|00|t|00|i|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00U\x00t\x00i\x00l\x00i\x00t\x00i\x00e\x00s\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00U\x00t\x00i\x00l\x00i\x00t\x00i\x00e\x00s\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:16308; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|4|00|4|00|D|00|2|00|5|00|2|00|D|00|-|00|9|00|8|00|F|00|C|00|-|00|4|00|D|00|5|00|C|00|-|00|9|00|4|00|8|00|C|00|-|00|B|00|E|00|8|00|6|00|8|00|3|00|9|00|2|00|A|00|0|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x004\x004\x00D\x002\x005\x002\x00D\x00-\x009\x008\x00F\x00C\x00-\x004\x00D\x005\x00C\x00-\x009\x004\x008\x00C\x00-\x00B\x00E\x008\x006\x008\x003\x009\x002\x00A\x000\x000\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,36698; reference:bugtraq,37092; reference:cve,2009-3031; reference:cve,2009-3033; classtype:attempted-user; sid:16306; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP AG SAPgui sapirrfc ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|7|00|F|00|1|00|2|00|F|00|8|00|A|00|-|00|F|00|1|00|1|00|7|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|C|00|F|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|D|00|9|00|D|00|8|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x007\x00F\x001\x002\x00F\x008\x00A\x00-\x00F\x001\x001\x007\x00-\x001\x001\x00D\x000\x00-\x008\x00C\x00F\x001\x00-\x000\x000\x00A\x000\x00C\x009\x001\x00D\x009\x00D\x008\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,35256; reference:url,service.sap.com/sap/support/notes/1286637; classtype:attempted-user; sid:16380; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Tumbleweed SecureTransport ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|8|00|6|00|8|00|1|00|f|00|b|00|d|00|-|00|d|00|4|00|c|00|c|00|-|00|4|00|a|00|5|00|9|00|-|00|a|00|5|00|2|00|7|00|-|00|b|00|3|00|1|00|3|00|6|00|d|00|b|00|7|00|1|00|1|00|d|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x006\x008\x001\x00f\x00b\x00d\x00-\x00d\x004\x00c\x00c\x00-\x004\x00a\x005\x009\x00-\x00a\x005\x002\x007\x00-\x00b\x003\x001\x003\x006\x00d\x00b\x007\x001\x001\x00d\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; classtype:attempted-user; sid:16567; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EasyMail IMAP4 ActiveX function call unicode access"; flow:established,to_client; content:"E|00|a|00|s|00|y|00|M|00|a|00|i|00|l|00|.|00|I|00|M|00|A|00|P|00|4|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00a\x00s\x00y\x00M\x00a\x00i\x00l\x00.\x00I\x00M\x00A\x00P\x004\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00a\x00s\x00y\x00M\x00a\x00i\x00l\x00.\x00I\x00M\x00A\x00P\x004\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16782; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Access Support ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|4|00|F|00|F|00|E|00|2|00|8|00|D|00|-|00|2|00|3|00|7|00|8|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|9|00|0|00|C|00|-|00|0|00|0|00|6|00|0|00|9|00|4|00|2|00|3|00|5|00|0|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x004\x00F\x00F\x00E\x002\x008\x00D\x00-\x002\x003\x007\x008\x00-\x001\x001\x00D\x005\x00-\x009\x009\x000\x00C\x00-\x000\x000\x006\x000\x009\x004\x002\x003\x005\x000\x008\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16747; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access"; flow:established,to_client; content:"E|00|A|00|I|00|W|00|e|00|b|00|.|00|W|00|e|00|b|00|V|00|i|00|e|00|w|00|e|00|r|00|3|00|D|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)E\x00A\x00I\x00W\x00e\x00b\x00.\x00W\x00e\x00b\x00V\x00i\x00e\x00w\x00e\x00r\x003\x00D\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)E\x00A\x00I\x00W\x00e\x00b\x00.\x00W\x00e\x00b\x00V\x00i\x00e\x00w\x00e\x00r\x003\x00D\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,34310; reference:cve,2007-4475; classtype:attempted-user; sid:16794; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|F|00|B|00|B|00|E|00|0|00|7|00|0|00|-|00|7|00|3|00|4|00|0|00|-|00|1|00|1|00|d|00|2|00|-|00|A|00|A|00|6|00|B|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|2|00|4|00|C|00|3|00|4|00|E|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x00B\x00B\x00E\x000\x007\x000\x00-\x007\x003\x004\x000\x00-\x001\x001\x00d\x002\x00-\x00A\x00A\x006\x00B\x00-\x000\x000\x00E\x000\x002\x009\x002\x004\x00C\x003\x004\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,34310; reference:cve,2007-4475; classtype:attempted-user; sid:16792; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IBM Access Support ActiveX function call unicode access"; flow:established,to_client; content:"I|00|b|00|m|00|E|00|g|00|a|00|t|00|h|00|.|00|I|00|b|00|m|00|E|00|g|00|a|00|t|00|h|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00.\x00I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00C\x00t\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00.\x00I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00C\x00t\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16749; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call unicode access"; flow:established,to_client; content:"K|00|e|00|y|00|H|00|e|00|l|00|p|00|.|00|K|00|e|00|y|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)K\x00e\x00y\x00H\x00e\x00l\x00p\x00.\x00K\x00e\x00y\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)K\x00e\x00y\x00H\x00e\x00l\x00p\x00.\x00K\x00e\x00y\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,36546; reference:cve,2012-2515; classtype:attempted-user; sid:16775; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|7|00|E|00|C|00|F|00|D|00|4|00|1|00|-|00|B|00|E|00|6|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|9|00|A|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|1|00|3|00|8|00|C|00|8|00|C|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x007\x00E\x00C\x00F\x00D\x004\x001\x00-\x00B\x00E\x006\x002\x00-\x001\x001\x00D\x002\x00-\x00B\x009\x00A\x008\x00-\x000\x000\x001\x000\x004\x00B\x001\x003\x008\x00C\x008\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,36546; reference:cve,2012-2515; classtype:attempted-user; sid:16773; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|C|00|E|00|A|00|3|00|F|00|B|00|1|00|-|00|7|00|F|00|8|00|8|00|-|00|4|00|8|00|0|00|3|00|-|00|A|00|A|00|8|00|E|00|-|00|A|00|D|00|0|00|2|00|1|00|5|00|6|00|6|00|9|00|5|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00C\x00E\x00A\x003\x00F\x00B\x001\x00-\x007\x00F\x008\x008\x00-\x004\x008\x000\x003\x00-\x00A\x00A\x008\x00E\x00-\x00A\x00D\x000\x002\x001\x005\x006\x006\x009\x005\x005\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16780; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|A|00|0|00|7|00|4|00|B|00|2|00|B|00|-|00|F|00|8|00|3|00|0|00|-|00|4|00|9|00|d|00|e|00|-|00|A|00|3|00|1|00|B|00|-|00|5|00|B|00|B|00|9|00|D|00|7|00|F|00|6|00|B|00|4|00|0|00|7|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00A\x000\x007\x004\x00B\x002\x00B\x00-\x00F\x008\x003\x000\x00-\x004\x009\x00d\x00e\x00-\x00A\x003\x001\x00B\x00-\x005\x00B\x00B\x009\x00D\x007\x00F\x006\x00B\x004\x000\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17074; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call unicode access"; flow:established,to_client; content:"A|00|O|00|S|00|M|00|T|00|P|00|.|00|M|00|a|00|i|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00O\x00S\x00M\x00T\x00P\x00.\x00M\x00a\x00i\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00O\x00S\x00M\x00T\x00P\x00.\x00M\x00a\x00i\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,osvdb.org/show/osvdb/64839; classtype:attempted-user; sid:17102; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|3|00|7|00|1|00|6|00|E|00|9|00|3|00|-|00|0|00|3|00|3|00|D|00|-|00|4|00|8|00|B|00|0|00|-|00|8|00|A|00|2|00|F|00|-|00|8|00|E|00|8|00|4|00|7|00|3|00|F|00|D|00|7|00|A|00|C|00|7|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x003\x007\x001\x006\x00E\x009\x003\x00-\x000\x003\x003\x00D\x00-\x004\x008\x00B\x000\x00-\x008\x00A\x002\x00F\x00-\x008\x00E\x008\x004\x007\x003\x00F\x00D\x007\x00A\x00C\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17093; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|8|00|D|00|0|00|7|00|B|00|7|00|2|00|-|00|B|00|4|00|B|00|4|00|-|00|4|00|6|00|A|00|0|00|-|00|A|00|C|00|C|00|0|00|-|00|C|00|7|00|7|00|1|00|D|00|4|00|6|00|1|00|4|00|B|00|8|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x00D\x000\x007\x00B\x007\x002\x00-\x00B\x004\x00B\x004\x00-\x004\x006\x00A\x000\x00-\x00A\x00C\x00C\x000\x00-\x00C\x007\x007\x001\x00D\x004\x006\x001\x004\x00B\x008\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:url,osvdb.org/show/osvdb/64839; classtype:attempted-user; sid:17100; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call unicode access"; flow:established,to_client; content:"A|00|s|00|k|00|J|00|e|00|e|00|v|00|e|00|s|00|T|00|o|00|o|00|l|00|B|00|a|00|r|00|.|00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00|P|00|l|00|u|00|g|00|i|00|n|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00s\x00k\x00J\x00e\x00e\x00v\x00e\x00s\x00T\x00o\x00o\x00l\x00B\x00a\x00r\x00.\x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00P\x00l\x00u\x00g\x00i\x00n\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00s\x00k\x00J\x00e\x00e\x00v\x00e\x00s\x00T\x00o\x00o\x00l\x00B\x00a\x00r\x00.\x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00P\x00l\x00u\x00g\x00i\x00n\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,25785; reference:cve,2007-5107; classtype:attempted-user; sid:17076; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL WinAmpX ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|E|00|0|00|B|00|D|00|7|00|7|00|9|00|-|00|4|00|4|00|E|00|E|00|-|00|4|00|A|00|4|00|B|00|-|00|A|00|A|00|2|00|E|00|-|00|7|00|4|00|3|00|C|00|6|00|3|00|F|00|2|00|E|00|5|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00E\x000\x00B\x00D\x007\x007\x009\x00-\x004\x004\x00E\x00E\x00-\x004\x00A\x004\x00B\x00-\x00A\x00A\x002\x00E\x00-\x007\x004\x003\x00C\x006\x003\x00F\x002\x00E\x005\x00E\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,35028; classtype:attempted-user; sid:17097; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VeryDOC PDF Viewer ActiveX function call unicode access"; flow:established,to_client; content:"P|00|D|00|F|00|V|00|I|00|E|00|W|00|.|00|P|00|d|00|f|00|v|00|i|00|e|00|w|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)P\x00D\x00F\x00V\x00I\x00E\x00W\x00.\x00P\x00d\x00f\x00v\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)P\x00D\x00F\x00V\x00I\x00E\x00W\x00.\x00P\x00d\x00f\x00v\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17090; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|3|00|3|00|2|00|6|00|8|00|D|00|7|00|-|00|2|00|C|00|D|00|4|00|-|00|4|00|3|00|E|00|6|00|-|00|A|00|A|00|2|00|4|00|-|00|2|00|1|00|8|00|8|00|6|00|7|00|2|00|E|00|7|00|2|00|5|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x003\x003\x002\x006\x008\x00D\x007\x00-\x002\x00C\x00D\x004\x00-\x004\x003\x00E\x006\x00-\x00A\x00A\x002\x004\x00-\x002\x001\x008\x008\x006\x007\x002\x00E\x007\x002\x005\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,32313; reference:cve,2008-5492; classtype:attempted-user; sid:17088; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call unicode access"; flow:established,to_client; content:"A|00|l|00|t|00|i|00|r|00|i|00|s|00|.|00|A|00|e|00|X|00|N|00|S|00|P|00|k|00|g|00|D|00|L|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00P\x00k\x00g\x00D\x00L\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00P\x00k\x00g\x00D\x00L\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,36346; reference:cve,2009-3028; classtype:attempted-user; sid:17095; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Liquid XML Studio ActiveX function call unicode access"; flow:established,to_client; content:"L|00|t|00|X|00|m|00|l|00|C|00|o|00|m|00|H|00|e|00|l|00|p|00|8|00|.|00|U|00|n|00|i|00|c|00|o|00|d|00|e|00|F|00|i|00|l|00|e|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)L\x00t\x00X\x00m\x00l\x00C\x00o\x00m\x00H\x00e\x00l\x00p\x008\x00.\x00U\x00n\x00i\x00c\x00o\x00d\x00e\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)L\x00t\x00X\x00m\x00l\x00C\x00o\x00m\x00H\x00e\x00l\x00p\x008\x00.\x00U\x00n\x00i\x00c\x00o\x00d\x00e\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17164; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Liquid XML Studio ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|6|00|8|00|E|00|4|00|0|00|1|00|C|00|-|00|7|00|D|00|B|00|0|00|-|00|4|00|F|00|3|00|A|00|-|00|8|00|8|00|E|00|1|00|-|00|1|00|5|00|9|00|8|00|8|00|2|00|4|00|6|00|8|00|A|00|7|00|9|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x008\x00E\x004\x000\x001\x00C\x00-\x007\x00D\x00B\x000\x00-\x004\x00F\x003\x00A\x00-\x008\x008\x00E\x001\x00-\x001\x005\x009\x008\x008\x002\x004\x006\x008\x00A\x007\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:url,secunia.com/advisories/38974; classtype:attempted-user; sid:17162; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 1 ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|7|00|0|00|7|00|0|00|b|00|f|00|d|00|-|00|c|00|5|00|0|00|1|00|-|00|4|00|8|00|9|00|9|00|-|00|9|00|3|00|4|00|d|00|-|00|0|00|b|00|9|00|6|00|a|00|9|00|f|00|7|00|0|00|7|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x007\x000\x007\x000\x00b\x00f\x00d\x00-\x00c\x005\x000\x001\x00-\x004\x008\x009\x009\x00-\x009\x003\x004\x00d\x00-\x000\x00b\x009\x006\x00a\x009\x00f\x007\x000\x007\x009\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17168; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 6 ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|5|00|8|00|7|00|4|00|2|00|2|00|8|00|-|00|a|00|4|00|4|00|5|00|-|00|4|00|0|00|d|00|c|00|-|00|9|00|6|00|2|00|b|00|-|00|e|00|c|00|1|00|5|00|5|00|5|00|9|00|b|00|1|00|7|00|4|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x005\x008\x007\x004\x002\x002\x008\x00-\x00a\x004\x004\x005\x00-\x004\x000\x00d\x00c\x00-\x009\x006\x002\x00b\x00-\x00e\x00c\x001\x005\x005\x005\x009\x00b\x001\x007\x004\x001\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17178; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 5 ActiveX clsid unicode access"; flow:established,to_client; content:"8|00|1|00|a|00|8|00|1|00|d|00|d|00|2|00|-|00|a|00|2|00|6|00|1|00|-|00|4|00|4|00|2|00|a|00|-|00|b|00|9|00|b|00|1|00|-|00|d|00|f|00|1|00|0|00|a|00|2|00|5|00|4|00|2|00|0|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x001\x00a\x008\x001\x00d\x00d\x002\x00-\x00a\x002\x006\x001\x00-\x004\x004\x002\x00a\x00-\x00b\x009\x00b\x001\x00-\x00d\x00f\x001\x000\x00a\x002\x005\x004\x002\x000\x002\x000\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17176; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 4 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|8|00|c|00|d|00|b|00|1|00|9|00|a|00|-|00|6|00|3|00|0|00|5|00|-|00|4|00|5|00|8|00|9|00|-|00|8|00|c|00|3|00|5|00|-|00|4|00|1|00|e|00|3|00|5|00|0|00|2|00|c|00|d|00|4|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00c\x00d\x00b\x001\x009\x00a\x00-\x006\x003\x000\x005\x00-\x004\x005\x008\x009\x00-\x008\x00c\x003\x005\x00-\x004\x001\x00e\x003\x005\x000\x002\x00c\x00d\x004\x005\x001\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17174; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 2 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|6|00|b|00|a|00|c|00|0|00|9|00|3|00|-|00|9|00|9|00|7|00|c|00|-|00|4|00|0|00|8|00|4|00|-|00|b|00|a|00|d|00|6|00|-|00|c|00|3|00|5|00|f|00|5|00|d|00|6|00|7|00|e|00|a|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x00b\x00a\x00c\x000\x009\x003\x00-\x009\x009\x007\x00c\x00-\x004\x000\x008\x004\x00-\x00b\x00a\x00d\x006\x00-\x00c\x003\x005\x00f\x005\x00d\x006\x007\x00e\x00a\x009\x009\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17170; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Oracle Siebel Option Pack 3 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|3|00|1|00|F|00|0|00|C|00|9|00|4|00|-|00|C|00|0|00|2|00|F|00|-|00|4|00|0|00|A|00|C|00|-|00|A|00|3|00|1|00|B|00|-|00|D|00|D|00|C|00|3|00|9|00|7|00|3|00|1|00|F|00|C|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x003\x001\x00F\x000\x00C\x009\x004\x00-\x00C\x000\x002\x00F\x00-\x004\x000\x00A\x00C\x00-\x00A\x003\x001\x00B\x00-\x00D\x00D\x00C\x003\x009\x007\x003\x001\x00F\x00C\x008\x001\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; reference:cve,2009-3737; reference:url,www.kb.cert.org/vuls/id/174089; classtype:attempted-user; sid:17172; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access"; flow:established,to_client; content:"F|00|A|00|3|00|6|00|6|00|2|00|C|00|3|00|-|00|B|00|8|00|E|00|8|00|-|00|1|00|1|00|D|00|6|00|-|00|A|00|6|00|6|00|7|00|-|00|0|00|0|00|1|00|0|00|B|00|5|00|5|00|6|00|D|00|9|00|7|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x003\x006\x006\x002\x00C\x003\x00-\x00B\x008\x00E\x008\x00-\x001\x001\x00D\x006\x00-\x00A\x006\x006\x007\x00-\x000\x000\x001\x000\x00B\x005\x005\x006\x00D\x009\x007\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,26396; reference:cve,2007-5755; classtype:attempted-user; sid:17465; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Norton AntiVirus CcErrDisp ActiveX function call unicode access"; flow:established,to_client; content:"C|00|c|00|E|00|r|00|r|00|D|00|s|00|p|00|.|00|E|00|r|00|r|00|o|00|r|00|D|00|i|00|s|00|p|00|l|00|a|00|y|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)C\x00c\x00E\x00r\x00r\x00D\x00s\x00p\x00.\x00E\x00r\x00r\x00o\x00r\x00D\x00i\x00s\x00p\x00l\x00a\x00y\x00(\.\x00\d\x00)?(?P=q1)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)C\x00c\x00E\x00r\x00r\x00D\x00s\x00p\x00.\x00E\x00r\x00r\x00o\x00r\x00D\x00i\x00s\x00p\x00l\x00a\x00y\x00(\.\x00\d\x00)?(?P=q2)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,12175; classtype:attempted-user; sid:17583; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SizerOne 2 ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|4|00|e|00|0|00|4|00|e|00|b|00|f|00|-|00|0|00|1|00|4|00|d|00|-|00|4|00|7|00|1|00|f|00|-|00|9|00|3|00|0|00|e|00|-|00|7|00|6|00|5|00|4|00|b|00|1|00|1|00|9|00|3|00|b|00|a|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x004\x00e\x000\x004\x00e\x00b\x00f\x00-\x000\x001\x004\x00d\x00-\x004\x007\x001\x00f\x00-\x009\x003\x000\x00e\x00-\x007\x006\x005\x004\x00b\x001\x001\x009\x003\x00b\x00a\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33148; reference:cve,2008-4827; classtype:attempted-user; sid:17576; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|0|00|0|00|9|00|C|00|9|00|0|00|D|00|-|00|8|00|1|00|4|00|B|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|A|00|3|00|E|00|-|00|0|00|8|00|0|00|0|00|0|00|9|00|D|00|2|00|2|00|3|00|4|00|4|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x000\x000\x009\x00C\x009\x000\x00D\x00-\x008\x001\x004\x00B\x00-\x001\x001\x00D\x003\x00-\x00B\x00A\x003\x00E\x00-\x000\x008\x000\x000\x000\x009\x00D\x002\x002\x003\x004\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17615; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX function call unicode access"; flow:established,to_client; content:"S|00|A|00|P|00|B|00|E|00|x|00|C|00|o|00|m|00|m|00|o|00|n|00|R|00|e|00|s|00|o|00|u|00|r|00|c|00|e|00|s|00|.|00|B|00|E|00|x|00|G|00|l|00|o|00|b|00|a|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00A\x00P\x00B\x00E\x00x\x00C\x00o\x00m\x00m\x00o\x00n\x00R\x00e\x00s\x00o\x00u\x00r\x00c\x00e\x00s\x00.\x00B\x00E\x00x\x00G\x00l\x00o\x00b\x00a\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00A\x00P\x00B\x00E\x00x\x00C\x00o\x00m\x00m\x00o\x00n\x00R\x00e\x00s\x00o\x00u\x00r\x00c\x00e\x00s\x00.\x00B\x00E\x00x\x00G\x00l\x00o\x00b\x00a\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:url,securitytracker.com/alerts/2010/Mar/1023760.html; classtype:attempted-user; sid:17617; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Internet Explorer Install Engine ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|4|00|4|00|9|00|6|00|8|00|3|00|-|00|C|00|5|00|0|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|A|00|F|00|A|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|6|00|0|00|1|00|5|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x004\x004\x009\x006\x008\x003\x00-\x00C\x005\x000\x009\x00-\x001\x001\x00C\x00F\x00-\x00A\x00A\x00F\x00A\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x006\x000\x001\x005\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,11366; reference:cve,2004-0216; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; classtype:attempted-user; sid:17589; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Skype Extras Manager ActiveX function call unicode access"; flow:established,to_client; content:"e|00|z|00|P|00|M|00|U|00|t|00|i|00|l|00|s|00|.|00|W|00|i|00|n|00|d|00|o|00|w|00|G|00|r|00|o|00|u|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)e\x00z\x00P\x00M\x00U\x00t\x00i\x00l\x00s\x00.\x00W\x00i\x00n\x00d\x00o\x00w\x00G\x00r\x00o\x00u\x00p\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)e\x00z\x00P\x00M\x00U\x00t\x00i\x00l\x00s\x00.\x00W\x00i\x00n\x00d\x00o\x00w\x00G\x00r\x00o\x00u\x00p\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,36459; reference:cve,2009-4741; classtype:attempted-user; sid:17677; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BigAnt Office Manager ActiveX function call unicode access"; flow:established,to_client; content:"A|00|n|00|t|00|C|00|o|00|r|00|e|00|.|00|A|00|n|00|t|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00n\x00t\x00C\x00o\x00r\x00e\x00.\x00A\x00n\x00t\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00n\x00t\x00C\x00o\x00r\x00e\x00.\x00A\x00n\x00t\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,39721; classtype:attempted-user; sid:17673; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Skype Extras Manager ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|2|00|4|00|8|00|1|00|7|00|0|00|0|00|-|00|C|00|F|00|3|00|C|00|-|00|4|00|D|00|0|00|5|00|-|00|8|00|E|00|C|00|6|00|-|00|F|00|9|00|A|00|1|00|C|00|5|00|7|00|E|00|8|00|D|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x004\x008\x001\x007\x000\x000\x00-\x00C\x00F\x003\x00C\x00-\x004\x00D\x000\x005\x00-\x008\x00E\x00C\x006\x00-\x00F\x009\x00A\x001\x00C\x005\x007\x00E\x008\x00D\x00C\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,36459; reference:cve,2009-4741; classtype:attempted-user; sid:17675; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX BigAnt Office Manager ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|5|00|7|00|4|00|5|00|F|00|2|00|B|00|-|00|2|00|A|00|C|00|9|00|-|00|4|00|5|00|5|00|1|00|-|00|9|00|4|00|8|00|B|00|-|00|5|00|7|00|4|00|C|00|5|00|0|00|D|00|4|00|E|00|E|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x005\x007\x004\x005\x00F\x002\x00B\x00-\x002\x00A\x00C\x009\x00-\x004\x005\x005\x001\x00-\x009\x004\x008\x00B\x00-\x005\x007\x004\x00C\x005\x000\x00D\x004\x00E\x00E\x005\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,39721; classtype:attempted-user; sid:17671; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid unicode access "; flow:established,to_client; content:"E|00|0|00|E|00|C|00|A|00|9|00|C|00|3|00|-|00|D|00|6|00|6|00|9|00|-|00|4|00|E|00|F|00|4|00|-|00|8|00|2|00|3|00|1|00|-|00|0|00|0|00|7|00|2|00|4|00|E|00|D|00|9|00|2|00|8|00|8|00|F|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x000\x00E\x00C\x00A\x009\x00C\x003\x00-\x00D\x006\x006\x009\x00-\x004\x00E\x00F\x004\x00-\x008\x002\x003\x001\x00-\x000\x000\x007\x002\x004\x00E\x00D\x009\x002\x008\x008\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2010-0252; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-008; classtype:attempted-user; sid:16420; rev:5;) # alert tcp $HOME_NET 445 -> $HOME_NET any (msg:"DELETED NETBIOS Adobe multiple products dwmapi.dll dll-load exploit attempt"; flow:to_client,established; content:"d|00|w|00|m|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00|"; fast_pattern:only; reference:cve,2010-3127; reference:cve,2010-3131; reference:cve,2010-3976; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; classtype:attempted-user; sid:18330; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Adobe multiple products dwmapi.dll dll-load exploit attempt"; flow:to_server,established; content:"dwmapi.dll"; nocase; http_uri; reference:cve,2010-3127; reference:cve,2010-3131; reference:cve,2010-3976; reference:url,www.adobe.com/support/security/bulletins/apsb10-26.html; classtype:attempted-user; sid:18328; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv1 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; content:"|01 00 01|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:15897; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid unicode access "; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|1|00|1|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; content:"C|00|S|00|V|00|D|00|a|00|t|00|a|00|"; nocase; reference:cve,2006-4695; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-017; classtype:attempted-user; sid:13581; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX backweb ActiveX clsid unicode access "; flow:established,to_client; content:"4|00|0|00|F|00|2|00|3|00|E|00|B|00|7|00|-|00|B|00|3|00|9|00|7|00|-|00|4|00|2|00|8|00|5|00|-|00|8|00|F|00|3|00|C|00|-|00|A|00|A|00|C|00|E|00|4|00|F|00|A|00|4|00|0|00|3|00|0|00|9|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13833; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid unicode access "; flow:established,to_client; content:"3|00|1|00|4|00|1|00|1|00|1|00|b|00|8|00|-|00|a|00|5|00|0|00|2|00|-|00|1|00|1|00|d|00|2|00|-|00|b|00|b|00|c|00|a|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|8|00|e|00|c|00|2|00|9|00|4|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13669; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid unicode access "; flow:established,to_client; content:"4|00|C|00|5|00|9|00|9|00|2|00|4|00|1|00|-|00|6|00|9|00|2|00|6|00|-|00|1|00|0|00|1|00|B|00|-|00|9|00|9|00|9|00|2|00|-|00|0|00|0|00|0|00|0|00|0|00|B|00|6|00|5|00|C|00|6|00|F|00|9|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13458; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call unicode access "; flow:established,to_client; content:"H|00|x|00|V|00|z|00|.|00|H|00|x|00|I|00|n|00|d|00|e|00|x|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00x\x00V\x00z\x00.\x00H\x00x\x00I\x00n\x00d\x00e\x00x\x00C\x00t\x00r\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)H\x00x\x00V\x00z\x00.\x00H\x00x\x00I\x00n\x00d\x00e\x00x\x00C\x00t\x00r\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13675; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid unicode access "; flow:established,to_client; content:"A|00|8|00|D|00|3|00|A|00|D|00|0|00|2|00|-|00|7|00|5|00|0|00|8|00|-|00|4|00|0|00|0|00|4|00|-|00|B|00|2|00|E|00|9|00|-|00|A|00|D|00|3|00|3|00|F|00|0|00|8|00|7|00|F|00|4|00|3|00|C|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x008\x00D\x003\x00A\x00D\x000\x002\x00-\x007\x005\x000\x008\x00-\x004\x000\x000\x004\x00-\x00B\x002\x00E\x009\x00-\x00A\x00D\x003\x003\x00F\x000\x008\x007\x00F\x004\x003\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14256; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Message System ActiveX clsid unicode access "; flow:established,to_client; content:"B|00|6|00|9|00|0|00|0|00|3|00|B|00|3|00|-|00|C|00|5|00|5|00|E|00|-|00|4|00|b|00|4|00|8|00|-|00|8|00|3|00|6|00|C|00|-|00|B|00|C|00|5|00|9|00|4|00|6|00|F|00|C|00|3|00|B|00|2|00|8|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x006\x009\x000\x000\x003\x00B\x003\x00-\x00C\x005\x005\x00E\x00-\x004\x00b\x004\x008\x00-\x008\x003\x006\x00C\x00-\x00B\x00C\x005\x009\x004\x006\x00F\x00C\x003\x00B\x002\x008\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2008-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-050; classtype:attempted-user; sid:13966; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call unicode access "; flow:established,to_client; content:"H|00|x|00|V|00|z|00|.|00|H|00|x|00|T|00|o|00|c|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)H\x00x\x00V\x00z\x00.\x00H\x00x\x00T\x00o\x00c\x00C\x00t\x00r\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)H\x00x\x00V\x00z\x00.\x00H\x00x\x00T\x00o\x00c\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13671; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid unicode access "; flow:established,to_client; content:"3|00|b|00|e|00|e|00|4|00|8|00|9|00|0|00|-|00|4|00|f|00|e|00|9|00|-|00|4|00|a|00|3|00|7|00|-|00|8|00|c|00|1|00|e|00|-|00|5|00|e|00|7|00|e|00|1|00|2|00|7|00|9|00|1|00|c|00|1|00|f|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13831; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call unicode access "; flow:established,to_client; content:"F|00|o|00|r|00|m|00|s|00|.|00|I|00|m|00|a|00|g|00|e|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)F\x00o\x00r\x00m\x00s\x00.\x00I\x00m\x00a\x00g\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)F\x00o\x00r\x00m\x00s\x00.\x00I\x00m\x00a\x00g\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2007-0065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-008; classtype:attempted-user; sid:13460; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid unicode access "; flow:established,to_client; content:"3|00|1|00|4|00|1|00|1|00|1|00|c|00|6|00|-|00|a|00|5|00|0|00|2|00|-|00|1|00|1|00|d|00|2|00|-|00|b|00|b|00|c|00|a|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|8|00|e|00|c|00|2|00|9|00|4|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:cve,2008-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-023; classtype:attempted-user; sid:13673; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Message System ActiveX function call unicode access "; flow:established,to_client; content:"M|00|e|00|s|00|s|00|e|00|n|00|g|00|e|00|r|00|.|00|U|00|I|00|A|00|u|00|t|00|o|00|m|00|a|00|t|00|i|00|o|00|n|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00e\x00s\x00s\x00e\x00n\x00g\x00e\x00r\x00.\x00U\x00I\x00A\x00u\x00t\x00o\x00m\x00a\x00t\x00i\x00o\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00e\x00s\x00s\x00e\x00n\x00g\x00e\x00r\x00.\x00U\x00I\x00A\x00u\x00t\x00o\x00m\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-0082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-050; classtype:attempted-user; sid:13968; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call unicode access "; flow:established,to_client; content:"W|00|M|00|E|00|n|00|c|00|.|00|W|00|M|00|E|00|n|00|c|00|P|00|r|00|o|00|f|00|i|00|l|00|e|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00M\x00E\x00n\x00c\x00.\x00W\x00M\x00E\x00n\x00c\x00P\x00r\x00o\x00f\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)W\x00M\x00E\x00n\x00c\x00.\x00W\x00M\x00E\x00n\x00c\x00P\x00r\x00o\x00f\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-3008; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-053; classtype:attempted-user; sid:14258; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid unicode access "; flow:established,to_client; content:"2|00|2|00|8|00|5|00|2|00|e|00|e|00|3|00|-|00|b|00|0|00|1|00|b|00|-|00|1|00|1|00|c|00|f|00|-|00|b|00|8|00|2|00|6|00|-|00|0|00|0|00|a|00|0|00|c|00|9|00|0|00|5|00|5|00|d|00|9|00|e|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,25571; reference:bugtraq,25977; reference:cve,2007-4790; reference:cve,2007-5322; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-010; classtype:attempted-user; sid:13452; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX sapi.dll ActiveX clsid unicode access "; flow:established,to_client; content:"4|00|7|00|2|00|0|00|6|00|2|00|0|00|4|00|-|00|5|00|e|00|c|00|a|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|6|00|0|00|f|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|8|00|e|00|e|00|6|00|2|00|8|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; reference:cve,2007-0675; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-032; classtype:attempted-user; sid:13829; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RKD Software BarCode ActiveX function call unicode access"; flow:established,to_client; content:"A|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|B|00|C|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00C\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00C\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,24596; reference:cve,2007-3435; classtype:attempted-user; sid:12013; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|0|00|9|00|A|00|E|00|6|00|8|00|F|00|-|00|B|00|1|00|4|00|D|00|-|00|4|00|3|00|E|00|D|00|-|00|B|00|7|00|1|00|3|00|-|00|B|00|A|00|4|00|1|00|3|00|F|00|0|00|3|00|4|00|9|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x000\x009\x00A\x00E\x006\x008\x00F\x00-\x00B\x001\x004\x00D\x00-\x004\x003\x00E\x00D\x00-\x00B\x007\x001\x003\x00-\x00B\x00A\x004\x001\x003\x00F\x000\x003\x004\x009\x000\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:bugtraq,21060; reference:bugtraq,21108; reference:cve,2006-3890; reference:cve,2006-5198; reference:url,www.winzip.com/wz7245.htm; classtype:attempted-user; sid:9130; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX RKD Software BarCode ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|2|00|6|00|D|00|9|00|C|00|A|00|8|00|-|00|6|00|7|00|4|00|7|00|-|00|1|00|1|00|D|00|5|00|-|00|A|00|D|00|4|00|B|00|-|00|C|00|0|00|1|00|8|00|5|00|7|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24596; reference:cve,2007-3435; classtype:attempted-user; sid:12011; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call unicode access"; flow:established,to_client; content:"W|00|i|00|n|00|d|00|s|00|P|00|l|00|a|00|y|00|e|00|r|00|I|00|E|00|.|00|V|00|i|00|e|00|w|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00i\x00n\x00d\x00s\x00P\x00l\x00a\x00y\x00e\x00r\x00I\x00E\x00.\x00V\x00i\x00e\x00w\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)W\x00i\x00n\x00d\x00s\x00P\x00l\x00a\x00y\x00e\x00r\x00I\x00E\x00.\x00V\x00i\x00e\x00w\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2009-4588; reference:cve,2009-4850; classtype:attempted-user; sid:16770; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|7|00|A|00|5|00|4|00|E|00|7|00|D|00|-|00|A|00|9|00|D|00|4|00|-|00|1|00|1|00|D|00|8|00|-|00|9|00|5|00|5|00|2|00|-|00|0|00|0|00|E|00|0|00|4|00|C|00|B|00|0|00|9|00|9|00|0|00|3|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x00A\x005\x004\x00E\x007\x00D\x00-\x00A\x009\x00D\x004\x00-\x001\x001\x00D\x008\x00-\x009\x005\x005\x002\x00-\x000\x000\x00E\x000\x004\x00C\x00B\x000\x009\x009\x000\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:cve,2009-4588; reference:cve,2009-4850; classtype:attempted-user; sid:16768; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WinDVD IASystemInfo.dll ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|7|00|2|00|7|00|C|00|2|00|1|00|7|00|-|00|2|00|0|00|2|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|2|00|C|00|6|00|-|00|0|00|0|00|5|00|0|00|D|00|A|00|1|00|B|00|D|00|9|00|0|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x007\x002\x007\x00C\x002\x001\x007\x00-\x002\x000\x002\x002\x00-\x001\x001\x00D\x004\x00-\x00B\x002\x00C\x006\x00-\x000\x000\x005\x000\x00D\x00A\x001\x00B\x00D\x009\x000\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23071; reference:cve,2007-0348; classtype:attempted-user; sid:16803; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|E|00|F|00|D|00|7|00|B|00|1|00|-|00|B|00|2|00|6|00|C|00|-|00|4|00|4|00|0|00|D|00|-|00|B|00|5|00|5|00|A|00|-|00|1|00|E|00|C|00|6|00|7|00|7|00|1|00|8|00|9|00|F|00|3|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x00E\x00F\x00D\x007\x00B\x001\x00-\x00B\x002\x006\x00C\x00-\x004\x004\x000\x00D\x00-\x00B\x005\x005\x00A\x00-\x001\x00E\x00C\x006\x007\x007\x001\x008\x009\x00F\x003\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,26288; reference:cve,2007-5603; classtype:attempted-user; sid:17083; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call unicode access"; flow:established,to_client; content:"W|00|Z|00|F|00|I|00|L|00|E|00|V|00|I|00|E|00|W|00|.|00|F|00|i|00|l|00|e|00|V|00|i|00|e|00|w|00|C|00|t|00|r|00|l|00|.|00|6|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)W\x00Z\x00F\x00I\x00L\x00E\x00V\x00I\x00E\x00W\x00.\x00F\x00i\x00l\x00e\x00V\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00.\x006\x001\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)W\x00Z\x00F\x00I\x00L\x00E\x00V\x00I\x00E\x00W\x00.\x00F\x00i\x00l\x00e\x00V\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00.\x006\x001\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,21060; reference:bugtraq,21108; reference:cve,2006-3890; reference:cve,2006-5198; reference:url,www.winzip.com/wz7245.htm; classtype:attempted-user; sid:18169; rev:3;) # alert tcp any any -> any any (msg:"DELETED SHELLCODE Metasploit meterpreter connection attempt"; flow:established; content:"|00 39 00 38 00 35 00 16 00 13 00 0A 00 33 00 32 00 2F 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20200; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Microsoft IE malformed iframe unicode buffer overflow attempt"; flow:to_client,established; content:"|00|<|00|I|00|F|00|R|00|A|00|M|00|E|00| |00|"; nocase; content:"|00|f|00|i|00|l|00|e|00 3A 00|/|00|/|00|"; distance:0; nocase; pcre:"/|00|<|00|I|00|F|00|R|00|A|00|M|00|E|00|[\s\x00]+[^>]*?s|00|r|00|c[\s\x00]*=[\s\x00]*(\x22|\x27)|00|f|00|i|00|l|00|e|00 3A 00 2f 00 2f 00|[^\x22\x27\s>]{400}/smi"; reference:cve,2004-1050; classtype:attempted-user; sid:18468; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX McAfee NeoTrace ActiveX function call unicode access"; flow:established,to_client; content:"N|00|e|00|o|00|T|00|r|00|a|00|c|00|e|00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|N|00|e|00|o|00|T|00|r|00|a|00|c|00|e|00|L|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00.\x00N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00.\x00N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,21697; reference:cve,2006-6707; classtype:attempted-user; sid:12090; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX DjVu MSOffice Converter ActiveX clsid unicode access"; flow:established,to_client; content:"4|00|A|00|4|00|6|00|B|00|8|00|C|00|D|00|-|00|F|00|7|00|B|00|D|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|1|00|D|00|8|00|-|00|0|00|0|00|0|00|1|00|0|00|2|00|2|00|9|00|0|00|E|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00A\x004\x006\x00B\x008\x00C\x00D\x00-\x00F\x007\x00B\x00D\x00-\x001\x001\x00D\x004\x00-\x00B\x001\x00D\x008\x00-\x000\x000\x000\x001\x000\x002\x002\x009\x000\x00E\x007\x00C\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; reference:bugtraq,31987; reference:cve,2008-4922; classtype:attempted-user; sid:14998; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|8|00|C|00|5|00|3|00|9|00|8|00|4|00|-|00|8|00|B|00|F|00|8|00|-|00|4|00|D|00|1|00|1|00|-|00|9|00|B|00|1|00|C|00|-|00|C|00|3|00|2|00|4|00|F|00|C|00|A|00|9|00|C|00|A|00|D|00|E|00|"; nocase; content:"P|00|r|00|o|00|g|00|C|00|o|00|l|00|o|00|r|00|"; nocase; reference:bugtraq,23239; reference:cve,2007-1819; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872; classtype:attempted-user; sid:10420; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX function call unicode access"; flow:established,to_client; content:"S|00|P|00|I|00|D|00|E|00|R|00|L|00|i|00|b|00|.|00|L|00|o|00|a|00|d|00|e|00|r|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00P\x00I\x00D\x00E\x00R\x00L\x00i\x00b\x00.\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00P\x00I\x00D\x00E\x00R\x00L\x00i\x00b\x00.\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,23239; reference:cve,2007-1819; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872; classtype:attempted-user; sid:10422; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access"; flow:established,to_client; content:"S|00|a|00|f|00|e|00|A|00|n|00|d|00|S|00|o|00|u|00|n|00|d|00|A|00|T|00|L|00|.|00|N|00|i|00|x|00|o|00|n|00|C|00|o|00|n|00|f|00|i|00|g|00|M|00|g|00|r|00|E|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3703; classtype:attempted-user; sid:11676; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX SaschArt SasCam Webcam Server ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|2|00|9|00|7|00|D|00|2|00|4|00|A|00|-|00|F|00|4|00|2|00|5|00|-|00|4|00|7|00|E|00|E|00|-|00|9|00|F|00|3|00|B|00|-|00|A|00|4|00|5|00|9|00|B|00|C|00|E|00|5|00|9|00|3|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x002\x009\x007\x00D\x002\x004\x00A\x00-\x00F\x004\x002\x005\x00-\x004\x007\x00E\x00E\x00-\x009\x00F\x003\x00B\x00-\x00A\x004\x005\x009\x00B\x00C\x00E\x005\x009\x003\x00E\x003\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/siO"; reference:bugtraq,33053; reference:cve,2008-6898; classtype:attempted-user; sid:15182; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|9|00|D|00|B|00|D|00|D|00|A|00|6|00|-|00|9|00|A|00|8|00|0|00|-|00|4|00|2|00|A|00|4|00|-|00|B|00|8|00|2|00|4|00|-|00|9|00|B|00|C|00|5|00|0|00|C|00|C|00|1|00|7|00|2|00|F|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3703; classtype:attempted-user; sid:11674; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX McAfee NeoTrace ActiveX clsid unicode access"; flow:established,to_client; content:"3|00|E|00|1|00|D|00|D|00|8|00|9|00|7|00|-|00|F|00|3|00|0|00|0|00|-|00|4|00|8|00|6|00|C|00|-|00|B|00|E|00|A|00|F|00|-|00|7|00|1|00|1|00|1|00|8|00|3|00|7|00|7|00|3|00|5|00|5|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,21697; reference:cve,2006-6707; classtype:attempted-user; sid:12088; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|8|00|D|00|7|00|5|00|B|00|B|00|0|00|-|00|D|00|2|00|B|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|F|00|C|00|-|00|0|00|0|00|8|00|0|00|C|00|8|00|5|00|9|00|8|00|3|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x008\x00D\x007\x005\x00B\x00B\x000\x00-\x00D\x002\x00B\x005\x00-\x001\x001\x00D\x001\x00-\x008\x008\x00F\x00C\x00-\x000\x000\x008\x000\x00C\x008\x005\x009\x008\x003\x003\x00B\x00(}\x00)?\5/si"; reference:bugtraq,22585; reference:cve,2007-0325; classtype:attempted-user; sid:10174; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid unicode access"; flow:established,to_client; content:"2|00|1|00|3|00|7|00|2|00|7|00|8|00|D|00|-|00|E|00|F|00|5|00|C|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|6|00|C|00|E|00|-|00|0|00|0|00|0|00|4|00|A|00|C|00|9|00|6|00|5|00|2|00|5|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x001\x003\x007\x002\x007\x008\x00D\x00-\x00E\x00F\x005\x00C\x00-\x001\x001\x00D\x003\x00-\x009\x006\x00C\x00E\x00-\x000\x000\x000\x004\x00A\x00C\x009\x006\x005\x002\x005\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24772; reference:cve,2007-3605; classtype:attempted-user; sid:16570; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call unicode access"; flow:established,to_client; content:"k|00|w|00|e|00|d|00|i|00|t|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|k|00|w|00|e|00|d|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)k\x00w\x00e\x00d\x00i\x00t\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00k\x00w\x00e\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)k\x00w\x00e\x00d\x00i\x00t\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00k\x00w\x00e\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,24772; reference:cve,2007-3605; classtype:attempted-user; sid:16572; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid unicode access"; flow:established,to_client; content:"B|00|E|00|3|00|9|00|A|00|E|00|F|00|D|00|-|00|5|00|7|00|0|00|4|00|-|00|4|00|b|00|b|00|5|00|-|00|B|00|1|00|D|00|F|00|-|00|B|00|7|00|9|00|9|00|2|00|4|00|5|00|4|00|A|00|B|00|7|00|E|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00E\x003\x009\x00A\x00E\x00F\x00D\x00-\x005\x007\x000\x004\x00-\x004\x00b\x00b\x005\x00-\x00B\x001\x00D\x00F\x00-\x00B\x007\x009\x009\x002\x004\x005\x004\x00A\x00B\x007\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,23936; reference:cve,2007-1689; classtype:attempted-user; sid:17062; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid unicode access"; flow:established,to_client; content:"0|00|A|00|5|00|F|00|D|00|7|00|C|00|5|00|-|00|A|00|4|00|5|00|C|00|-|00|4|00|9|00|F|00|C|00|-|00|A|00|D|00|B|00|5|00|-|00|9|00|9|00|5|00|2|00|5|00|4|00|7|00|D|00|5|00|7|00|1|00|5|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00A\x005\x00F\x00D\x007\x00C\x005\x00-\x00A\x004\x005\x00C\x00-\x004\x009\x00F\x00C\x00-\x00A\x00D\x00B\x005\x00-\x009\x009\x005\x002\x005\x004\x007\x00D\x005\x007\x001\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,29391; reference:cve,2008-0955; classtype:attempted-user; sid:17085; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GOM Player GomWeb ActiveX function call unicode access"; flow:established,to_client; content:"G|00|o|00|m|00|W|00|e|00|b|00|C|00|t|00|r|00|l|00|.|00|G|00|o|00|m|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)G\x00o\x00m\x00W\x00e\x00b\x00C\x00t\x00r\x00l\x00.\x00G\x00o\x00m\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)G\x00o\x00m\x00W\x00e\x00b\x00C\x00t\x00r\x00l\x00.\x00G\x00o\x00m\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,26236; reference:cve,2007-5779; classtype:attempted-user; sid:17081; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX GOM Player GomWeb ActiveX clsid unicode access"; flow:established,to_client; content:"D|00|C|00|0|00|7|00|C|00|7|00|2|00|1|00|-|00|7|00|9|00|E|00|0|00|-|00|4|00|B|00|D|00|4|00|-|00|A|00|8|00|9|00|F|00|-|00|C|00|9|00|0|00|8|00|7|00|1|00|9|00|4|00|6|00|A|00|3|00|1|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00C\x000\x007\x00C\x007\x002\x001\x00-\x007\x009\x00E\x000\x00-\x004\x00B\x00D\x004\x00-\x00A\x008\x009\x00F\x00-\x00C\x009\x000\x008\x007\x001\x009\x004\x006\x00A\x003\x001\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,26236; reference:cve,2007-5779; classtype:attempted-user; sid:17079; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|4|00|d|00|a|00|0|00|f|00|b|00|5|00|-|00|4|00|8|00|3|00|a|00|-|00|4|00|c|00|5|00|3|00|-|00|8|00|1|00|0|00|b|00|-|00|f|00|1|00|3|00|1|00|d|00|5|00|0|00|a|00|8|00|e|00|b|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x004\x00d\x00a\x000\x00f\x00b\x005\x00-\x004\x008\x003\x00a\x00-\x004\x00c\x005\x003\x00-\x008\x001\x000\x00b\x00-\x00f\x001\x003\x001\x00d\x005\x000\x00a\x008\x00e\x00b\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17064; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|5|00|7|00|7|00|b|00|0|00|9|00|d|00|-|00|c|00|3|00|9|00|d|00|-|00|4|00|e|00|2|00|2|00|-|00|9|00|9|00|1|00|3|00|-|00|c|00|9|00|9|00|8|00|0|00|3|00|f|00|9|00|c|00|3|00|8|00|8|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x007\x007\x00b\x000\x009\x00d\x00-\x00c\x003\x009\x00d\x00-\x004\x00e\x002\x002\x00-\x009\x009\x001\x003\x00-\x00c\x009\x009\x008\x000\x003\x00f\x009\x00c\x003\x008\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17066; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid unicode access"; flow:established,to_client; content:"9|00|1|00|7|00|b|00|2|00|9|00|f|00|8|00|-|00|e|00|7|00|2|00|a|00|-|00|4|00|7|00|6|00|1|00|-|00|8|00|3|00|7|00|1|00|-|00|b|00|f|00|7|00|f|00|c|00|a|00|2|00|7|00|e|00|b|00|3|00|1|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x007\x00b\x002\x009\x00f\x008\x00-\x00e\x007\x002\x00a\x00-\x004\x007\x006\x001\x00-\x008\x003\x007\x001\x00-\x00b\x00f\x007\x00f\x00c\x00a\x002\x007\x00e\x00b\x003\x001\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17068; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid unicode access"; flow:established,to_client; content:"b|00|e|00|f|00|0|00|f|00|4|00|8|00|8|00|-|00|3|00|5|00|6|00|2|00|-|00|4|00|3|00|5|00|f|00|-|00|8|00|e|00|8|00|9|00|-|00|7|00|9|00|d|00|9|00|4|00|c|00|9|00|a|00|5|00|2|00|8|00|c|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00e\x00f\x000\x00f\x004\x008\x008\x00-\x003\x005\x006\x002\x00-\x004\x003\x005\x00f\x00-\x008\x00e\x008\x009\x00-\x007\x009\x00d\x009\x004\x00c\x009\x00a\x005\x002\x008\x00c\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17070; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid unicode access"; flow:established,to_client; content:"b|00|f|00|4|00|c|00|7|00|b|00|0|00|3|00|-|00|f|00|3|00|8|00|1|00|-|00|4|00|5|00|4|00|4|00|-|00|9|00|a|00|3|00|3|00|-|00|c|00|b|00|6|00|d|00|a|00|d|00|2|00|a|00|8|00|7|00|c|00|d|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00f\x004\x00c\x007\x00b\x000\x003\x00-\x00f\x003\x008\x001\x00-\x004\x005\x004\x004\x00-\x009\x00a\x003\x003\x00-\x00c\x00b\x006\x00d\x00a\x00d\x002\x00a\x008\x007\x00c\x00d\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,24254; reference:cve,2007-2918; classtype:attempted-user; sid:17072; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Embedded OpenType font file download attempt"; flow:to_server,established; content:".eot"; nocase; http_uri; flowbits:set,http.eot; flowbits:noalert; classtype:misc-activity; sid:19307; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3628 (msg:"DELETED EXPLOIT Trend Micro ServerProtect EarthAgent DCE-RPC Stack overflow"; flow:to_server,established; content:"|00|"; content:"|00 00 14 00 1F 00|"; within:6; distance:20; isdataat:100,relative; content:!"|00 00|"; within:96; distance:4; reference:bugtraq,23866; reference:cve,2007-2508; classtype:attempted-admin; sid:11618; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT CHM file transfer attempt"; flow:to_client,established; content:"text/plain"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)text\x2fplain/smiH"; pcre:"/^ITSF/sm"; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-026; classtype:attempted-user; sid:3821; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request - tools"; flow:established,to_server; content:"act=tools&"; http_uri; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:18689; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"DELETED EXPLOIT CA ARCserve Backup for Laptops rxsSetDefaultConfigName overflow attempt"; flow:to_server,established; content:"rxsSetDefaultConfigName~~"; isdataat:976,relative; reference:bugtraq,24348; reference:cve,2007-3216; classtype:attempted-admin; sid:12788; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap 390113 tcp request"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13254; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap 390113 udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13255; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"DELETED RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:13268; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call access"; flow:established,to_client; content:"Vie2Lib.Vie2LinuxVolume"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\)/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14392; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14419; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call access"; flow:established,to_client; content:"IntraProcessLogging.Logger"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\)/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14464; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid unicode access"; flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x001\x003\x00B\x000\x007\x00E\x00-\x002\x008\x00A\x001\x00-\x004\x00C\x00A\x00C\x00-\x009\x00C\x009\x00A\x00-\x00E\x00C\x005\x008\x002\x00E\x003\x005\x004\x00A\x002\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14463; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid access"; flow:established,to_client; content:"1AF378DE-4574-4bb0-A5DF-F78FCAD28707"; fast_pattern:only; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1AF378DE-4574-4bb0-A5DF-F78FCAD28707\s*}?\s*(?P=q1)(\s|>)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14390; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call access"; flow:established,to_client; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14418; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid unicode access"; flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|c|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00B\x009\x00C\x005\x004\x002\x002\x00-\x003\x009\x00A\x00A\x00-\x004\x00c\x002\x001\x00-\x00B\x00E\x00E\x00F\x00-\x006\x004\x005\x00E\x004\x002\x00E\x00B\x004\x005\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14417; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|A|00|F|00|3|00|7|00|8|00|D|00|E|00|-|00|4|00|5|00|7|00|4|00|-|00|4|00|b|00|b|00|0|00|-|00|A|00|5|00|D|00|F|00|-|00|F|00|7|00|8|00|F|00|C|00|A|00|D|00|2|00|8|00|7|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00A\x00F\x003\x007\x008\x00D\x00E\x00-\x004\x005\x007\x004\x00-\x004\x00b\x00b\x000\x00-\x00A\x005\x00D\x00F\x00-\x00F\x007\x008\x00F\x00C\x00A\x00D\x002\x008\x007\x000\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14391; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call unicode access"; flow:established,to_client; content:"V|00|i|00|e|00|2|00|L|00|i|00|b|00|.|00|V|00|i|00|e|00|2|00|L|00|i|00|n|00|u|00|x|00|V|00|o|00|l|00|u|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14393; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call unicode access"; flow:established,to_client; content:"I|00|n|00|t|00|r|00|a|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|L|00|o|00|g|00|g|00|i|00|n|00|g|00|.|00|L|00|o|00|g|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14465; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid access"; flow:established,to_client; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14462; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid access"; flow:established,to_client; content:"7B9C5422-39AA-4c21-BEEF-645E42EB4529"; fast_pattern:only; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4c21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>)/Osi"; reference:bugtraq,30934; reference:cve,2008-3691; reference:cve,2008-3692; reference:cve,2008-3693; reference:cve,2008-3694; reference:cve,2008-3695; reference:cve,2008-3696; reference:url,www.vmware.com/security/advisories/VMSA-2008-0014.html; classtype:attempted-user; sid:14416; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid unicode access"; flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-1786; classtype:attempted-user; sid:14030; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Internet Explorer CSS expression defined to empty slection attempt"; flow:established, to_client; content:"expression"; nocase; content:"document.selection.empty"; within:50; pcre:"/expression\s*\x28\s*document\x2eselection\x2eempty\s*\x28\s*\x29/si"; reference:cve,2011-1261; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-050; classtype:attempted-admin; sid:19244; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Cover page document file download attempt"; flow:to_server,established; content:".cov"; nocase; http_uri; flowbits:set,file.cov; flowbits:noalert; classtype:misc-activity; sid:18674; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:8;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR only 1 rat runtime detection - icmp request"; itype:8; content:"Pinging from Delphi code written by F. Piette"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632; classtype:trojan-activity; sid:10452; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Microsoft PowerPoint file download attempt"; flow:to_server,established; content:".ppt"; nocase; http_uri; flowbits:set,ppt.download; flowbits:noalert; classtype:misc-activity; sid:13982; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 13722 (msg:"DELETED MISC Veritas NetBackup java user interface service format string attack attempt"; flow:established,to_server; content:"%n"; fast_pattern:only; reference:cve,2005-2715; classtype:attempted-admin; sid:15931; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT pub file download"; flow:to_client,established; content:"CHNKINK "; reference:bugtraq,19951; reference:cve,2006-0001; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054; classtype:misc-activity; sid:8350; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 12174 (msg:"DELETED EXPLOIT Symantec Alert Management System Intel File Transfer Service arbitrary program execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; pcre:"/^\x00\x00\x00\x00.{2}(\x2f{2}|\x5c{2}|([A-F0-9\x21\x23-\x27\x2a\x2b\x2d\x2f\x3d\x3f\x5e\x5f\x60\x7b-\x7e]+\x2e){2})/si"; reference:bugtraq,34675; reference:cve,2009-1431; classtype:attempted-admin; sid:15556; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt"; flow:to_server,established; content:"get-dated-rev"; pcre:"/get-dated-rev\x20\x28\x20\d{1,4}\x3a([^T\x2d\x3a]{9}|[^\x2d]{4}\x2d[^\x2d]{3}|[^\x2d]{4}\x2d[^\x2d]{2}\x2d[^\x2d]{3})/i"; reference:bugtraq,10386; reference:cve,2004-0397; classtype:attempted-user; sid:15388; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 12174 (msg:"DELETED EXPLOIT Symantec Multiple Products Intel Common Base Agent CreateProcessA Function remote command execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"cmd /c"; fast_pattern:only; nocase; reference:bugtraq,34671; reference:cve,2009-1429; classtype:attempted-admin; sid:17048; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT excel object record overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"]"; content:"|05|"; within:8; flowbits:set,excel.object; flowbits:noalert; reference:cve,2006-1306; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-037; classtype:attempted-user; sid:7047; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:536; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2973; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2467; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; fast_pattern; nocase; classtype:protocol-command-decode; sid:2974; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2468; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2469; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; fast_pattern; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2976; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:533; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2977; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2470; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; fast_pattern; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2471; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2472; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2980; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:532; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2981; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2473; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2475; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt"; flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:7; dce_stub_data; content:"|00 00 00 00|"; depth:4; offset:8; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:16499; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt"; flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; content:"|00 00 00 00|"; depth:4; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:16500; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call access"; flow:established,to_client; content:"TLI.TLIApplication"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22TLI\.TLIApplication\x22|\x27TLI\.TLIApplication\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TypeLibInfoFromFile\s*|.*(?P=v)\s*\.\s*TypeLibInfoFromFile\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.TLIApplication\x22|\x27TLI\.TLIApplication\x27)\s*\)(\s*\.\s*TypeLibInfoFromFile\s*|.*(?P=n)\s*\.\s*TypeLibInfoFromFile\s*)\s*\(/Osmi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12271; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access"; flow:established,to_client; content:"T|00|L|00|I|00|.|00|T|00|L|00|I|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00T\x00L\x00I\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)T\x00L\x00I\x00.\x00T\x00L\x00I\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:cve,2007-2216; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-045; classtype:attempted-user; sid:12272; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access"; flow:established,to_client; content:"B|00|D|00|A|00|T|00|u|00|n|00|e|00|r|00|.|00|M|00|P|00|E|00|G|00|2|00|T|00|u|00|n|00|e|00|R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)B\x00D\x00A\x00T\x00u\x00n\x00e\x00r\x00.\x00M\x00P\x00E\x00G\x002\x00T\x00u\x00n\x00e\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)B\x00D\x00A\x00T\x00u\x00n\x00e\x00r\x00.\x00M\x00P\x00E\x00G\x002\x00T\x00u\x00n\x00e\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:bugtraq,35558; reference:cve,2008-0015; reference:cve,2009-0901; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; classtype:attempted-user; sid:15905; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call access"; flow:established,to_client; content:"BDATuner.MPEG2TuneRequest"; fast_pattern:only; nocase; pcre:"/(?P\w+)\s*=\s*(\x22BDATuner\.MPEG2TuneRequest(\.\d)?\x22|\x27BDATuner\.MPEG2TuneRequest(\.\d)?\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BDATuner\.MPEG2TuneRequest(\.\d)?\x22|\x27BDATuner\.MPEG2TuneRequest(\.\d)?\x27)\s*\)/smiO"; reference:bugtraq,35558; reference:cve,2008-0015; reference:cve,2009-0901; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-037; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-060; classtype:attempted-user; sid:15904; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT IBM Lotus Expeditor cai URI Handler Command Execution attempt"; flow:to_client,established; content:"cai|3A|"; nocase; content:"-launcher"; distance:0; nocase; pcre:"/\x3c[^\x3e]+((\x22cai\x3a[^\x3e]*?\x2522[^\x3e\x22]*-launcher[^\x3e\x22]*\x22)|(\x27cai\x3a[^\x3e]*?(\x2522|\x22)[^\x3e\x27]*-launcher[^\x3e\x27]*\x27)|(cai\x3a[^\x3e]*?(\x2522|\x22)[^\x3e]*-launcher[^\x3e]*?\s+))\s*\x3e/smi"; reference:cve,2008-1965; classtype:attempted-admin; sid:13799; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED MISC Multiple vendors CUPS HPGL filter remote code execution attempt"; flow:to_server,established; content:"PC"; byte_test:4,<,0,0,relative,string,dec; reference:bugtraq,31688; reference:cve,2008-3641; reference:url,www.cups.org/str.php?L2911; classtype:attempted-user; sid:15189; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED MISC Multiple vendors CUPS HPGL filter remote code execution attempt"; flow:to_server,established; content:"PW"; fast_pattern:only; pcre:"/PW\x2E?[0-9]+\s*,\s/"; byte_test:4,<,0,0,relative,string,dec; reference:bugtraq,31688; reference:cve,2008-3641; classtype:attempted-user; sid:15187; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple Quicktime Plug-In Security Bypass"; flow:to_client,established; flowbits:isset,file.quicktime; content:"quicktime|20|type|3D 22|application"; nocase; content:"qtnext|3D 22|file|3A 2F 2F|"; distance:0; nocase; reference:bugtraq,20138; reference:cve,2006-4965; classtype:attempted-user; sid:17290; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MISC Panda Antivirus ZOO archive decompression buffer overflow attempt"; flow:to_client,established; file_data; content:"Rar|21 1A|"; depth:5; content:"|77|"; content:"|01 01 00|"; within:3; distance:8; byte_test:2,>,3168,0,relative; reference:cve,2005-3922; classtype:attempted-user; sid:17728; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2972; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"DELETED WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:web-application-attack; sid:1498; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Microsoft FlashPix file download"; flow:established,to_server; content:".fpx"; nocase; http_uri; flowbits:set,file.fpx; flowbits:noalert; classtype:misc-activity; sid:18228; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Microsoft OpenType Font file download"; flow:established,to_server; content:".otf"; nocase; http_uri; flowbits:set,file.otf; flowbits:noalert; classtype:misc-activity; sid:18232; rev:6;) # alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"DELETED BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:10;) # alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"DELETED BAD-TRAFFIC udp port 0 traffic"; flow:to_server; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:12;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:9;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:7;) # alert ip any any -> any any (msg:"DELETED BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2186; rev:8;) # alert ip any any -> any any (msg:"DELETED BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2187; rev:8;) # alert ip any any -> any any (msg:"DELETED BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2188; rev:8;) # alert ip any any -> any any (msg:"DELETED BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:8;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:6;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:6;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:7;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:7;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:6;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP Source Quench"; icode:0; itype:4; reference:bugtraq,13124; reference:cve,2004-0791; classtype:bad-unknown; sid:477; rev:6;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:6;) # alert icmp any any -> any any (msg:"DELETED ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:7;) # alert icmp any any -> any any (msg:"DELETED ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:7;) # alert icmp any any -> any any (msg:"DELETED ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:7;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC source route lsrr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0510; reference:cve,1999-0909; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-038; classtype:bad-unknown; sid:500; rev:9;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC source route lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-038; classtype:bad-unknown; sid:501; rev:9;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC source route ssrr"; ipopts:ssrr ; reference:cve,1999-0510; classtype:bad-unknown; sid:502; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC IP option SATID stream_id set"; ipopts:satid; classtype:bad-unknown; sid:8733; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC IP option SEC security set"; ipopts:sec; classtype:bad-unknown; sid:8732; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC IP option TS timestamp set"; ipopts:ts; classtype:bad-unknown; sid:8731; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Microsoft Access file download request"; flow:to_server,established; content:"GET"; nocase; content:".mdb"; nocase; http_uri; flowbits:set,http.mdb; reference:url,support.microsoft.com/kb/925330; classtype:misc-activity; sid:13628; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Microsoft Access file download request"; flow:to_server,established; content:"GET"; nocase; content:".mdb"; nocase; http_uri; flowbits:set,access.download; flowbits:noalert; reference:url,support.microsoft.com/kb/925330; classtype:misc-activity; sid:13627; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|6C 83|"; byte_test:3,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17455; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|63 83|"; byte_test:3,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17452; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|6C 84|"; byte_test:4,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17456; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|6C 82|"; byte_test:2,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17454; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|63 84|"; byte_test:4,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17453; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] (msg:"DELETED WEB-MISC Sun Directory Server LDAP denial of service attempt"; flow:to_server,established; content:"|63 82|"; byte_test:2,>,1000,0,relative; reference:cve,2006-0647; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html; classtype:attempted-dos; sid:17451; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage"; flow:to_client,established; flowbits:isset,superSpy_20_Beta_ProcessesManage; content:"|02|"; depth:1; nocase; content:"|04 00|"; within:2; distance:1; nocase; pcre:"/^\x02[\x08\x0c]\x04\x00/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8475; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - screen capture"; flow:to_client,established; flowbits:isset,superSpy_20_Beta_ScreenCapture; dsize:<50; content:"|02 01 04 00|"; depth:4; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8473; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - screen capture 2"; flow:to_server,established; dsize:<50; content:"|02 00 00 00|"; depth:4; nocase; flowbits:set,superSpy_20_Beta_ScreenCapture; flowbits:noalert; classtype:trojan-activity; sid:8472; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - get system info"; flow:to_server,established; content:"|02 05 00 00|"; depth:4; nocase; flowbits:set,superSpy_20_Beta_GetSystemInfo; flowbits:noalert; classtype:trojan-activity; sid:8470; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - get system info 2"; flow:to_client,established; flowbits:isset,superSpy_20_Beta_GetSystemInfo; content:"|02 06 AC 03|"; depth:4; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8471; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage 2"; flow:to_server,established; content:"|02|"; depth:1; nocase; content:"|00 00|"; within:2; distance:1; pcre:"/^\x02[\x07\x0b]\x00\x00/"; flowbits:set,superSpy_20_Beta_ProcessesManage; flowbits:noalert; classtype:trojan-activity; sid:8474; rev:7;) # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"DELETED POLICY Possible Microsoft telnet NTLM reflection attempt"; flow:established, to_server; content:"|FF FA 25 00 0F|"; depth:5; rawbytes; content:"NTLMSSP"; within:7; distance:10; fast_pattern; rawbytes; reference:cve,2000-0834; reference:cve,2009-1930; reference:url,secunia.com/advisories/36222/; classtype:attempted-admin; sid:17627; rev:3;) # alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"DELETED SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT XBM file download"; flow:to_server,established; content:".xbm"; nocase; http_uri; flowbits:set,file.xbm; flowbits:noalert; classtype:misc-activity; sid:17237; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Video 7 ActiveX clsid unicode access"; flow:established,to_client; content:"1|00|5|00|D|00|6|00|5|00|0|00|4|00|A|00|-|00|5|00|4|00|9|00|4|00|-|00|4|00|9|00|9|00|C|00|-|00|8|00|8|00|6|00|C|00|-|00|9|00|7|00|3|00|C|00|9|00|E|00|5|00|3|00|B|00|9|00|F|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x005\x00D\x006\x005\x000\x004\x00A\x00-\x005\x004\x009\x004\x00-\x004\x009\x009\x00C\x00-\x008\x008\x006\x00C\x00-\x009\x007\x003\x00C\x009\x00E\x005\x003\x00B\x009\x00F\x001\x00(}\x00)?(?P=q86)(?=\s\x00|>\x00)/siO"; reference:cve,2008-0015; reference:url,technet.microsoft.com/en-us/security/advisory/972890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-032; classtype:attempted-user; sid:15673; rev:8;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt"; flow:established,to_server; content:"dbms_snap_internal.delete_refresh_operations"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{46,}\x27|\x22[^\x22]{46,}\x22)[\r\n\s]*\x3b.*snap_name[\r\n\s]*=>[\r\n\s]*\2|snap_name\s*=>\s*(\x27[^\x27]{46}|\x22[^\x22]{46})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*(\x27[^\x27]{46}|\x22[^\x22]{46}))/si"; reference:bugtraq,23532; reference:cve,2007-2126; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html; classtype:attempted-user; sid:17375; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call access"; flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ExecuteRemote\s*|.*(?P=v)\s*\.\s*ExecuteRemote\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\)(\s*\.\s*ExecuteRemote\s*|.*(?P=n)\s*\.\s*ExecuteRemote\s*)\s*\(/Osmi"; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14766; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call unicode access"; flow:established,to_client; content:"D|00|W|00|U|00|S|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|.|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q29)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q30)(\s|>)(\s\x00)*\)\x00/Osmi"; reference:bugtraq,31235; reference:cve,2008-2470; classtype:attempted-user; sid:14767; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Excel file download request"; flow:established,to_server; content:".xls"; nocase; http_uri; flowbits:set,file.xls; flowbits:noalert; classtype:protocol-command-decode; sid:15585; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"DELETED EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow attempt"; flow:to_server,established; content:"get-dated-rev"; pcre:"/get-dated-rev\x20\x28\x20\d*\x3a([^\s\x28]{8}[^T]|[A-Za-z]{3}\s\d{,2}\s[^\s\x28]{4})/i"; reference:bugtraq,10386; reference:cve,2004-0397; classtype:attempted-user; sid:14601; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED EXPLOIT Lotus Domino HTTP header overflow attempt"; flow:established,to_server; content:".nsf?"; fast_pattern; nocase; http_uri; content:"Accept-Language|3A|"; nocase; http_header; pcre:"/^[A-Za-z]+\s+[^\s\n]*[\x80-\xFF].*\nAccept-Language\x3A\s*[^\s\x3b\x2c]{32}/siH"; reference:bugtraq,29310; reference:cve,2008-2240; classtype:attempted-admin; sid:13924; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT xls file download"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; flowbits:set,xls.download; flowbits:noalert; reference:url,sc.openoffice.org/excelfileformat.pdf; classtype:misc-activity; sid:7023; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; fast_pattern:only; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [5900:5999] (msg:"DELETED EXPLOIT RealVNC client response"; flow:established,to_server; dsize:12; content:"RFB 00"; depth:6; flowbits:set,vnc.pv.setup; flowbits:set,vnc.vul.setup; flowbits:noalert; reference:bugtraq,17978; reference:cve,2006-2369; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13611; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [5900:5999] (msg:"DELETED EXPLOIT RealVNC server authentication bypass attempt"; flow:established; flowbits:isset,vnc.vul.setup; dsize:1; content:"|01|"; depth:1; flowbits:unset,vnc.vul.setup; reference:bugtraq,17978; reference:cve,2006-2369; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13612; rev:5;) # alert tcp $HOME_NET [5900:5999] -> $HOME_NET any (msg:"DELETED EXPLOIT RealVNC server authentication version array check"; flow:to_client; flowbits:isset, vnc.vul.setup; content:"|01|"; offset:1; flowbits:unset,vnc.vul.setup; flowbits:noalert; reference:bugtraq,17978; reference:cve,2006-2369; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13880; rev:3;) # alert tcp $HOME_NET [5900:5999] -> $EXTERNAL_NET any (msg:"DELETED POLICY RealVNC Server configured to allow NULL authentication"; flow:established,to_client; flowbits:isset, vnc.pv.setup; content:"|01|"; offset:1; flowbits:unset,vnc.pv.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13881; rev:3;) # alert tcp $HOME_NET [5900:5999] -> $EXTERNAL_NET any (msg:"DELETED POLICY RealVNC Server configured not to require authentication"; flow:established,to_client; flowbits:isset, vnc.pv.setup; pcre:"/^(?!RFB).[^\x01]+/"; flowbits:unset,vnc.pv.setup; flowbits:noalert; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13882; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"DELETED WEB-MISC Microsoft Active Directory LDAP query DoS attempt"; flow:to_server,established; content:"2.16.840.1.113730.3.4.2"; reference:bugtraq,27638; reference:cve,2008-0088; classtype:attempted-dos; sid:16202; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX function call access"; flow:established,to_client; content:"snpvw.Snapshot Viewer Control"; fast_pattern:only; pcre:"/(?P\w+)\s*=\s*(\x22snpvw\.Snapshot\s*Viewer\s*Control\x22|\x27snpvw\.Snapshot\s*Viewer\s*Control\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=v)\s*\.\s*(SnapshotPath|CompressedPath)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22snpvw\.Snapshot\s*Viewer\s*Control\x22|\x27snpvw\.Snapshot\s*Viewer\s*Control\x27)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=n)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/smi"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:13909; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX function call unicode access"; flow:established,to_client; content:"s|00|n|00|p|00|v|00|w|00|.|00|S|00|n|00|a|00|p|00|s|00|h|00|o|00|t|00| |00|V|00|i|00|e|00|w|00|e|00|r|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:cve,2008-2463; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-041; reference:url,www.microsoft.com/TechNet/security/advisory/955179.mspx; classtype:attempted-user; sid:13910; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s[^\n]{512}/smi"; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Authorization Basic overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; content:"Basic"; distance:0; nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s[^\n]{250}/smi"; reference:bugtraq,8375; reference:cve,2003-0727; classtype:web-application-attack; sid:3466; rev:13;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR netbus active"; flow:to_client,established; content:"NetBus"; depth:6; nocase; pcre:"/^NetBus\s+\d+\x2E\d+/smi"; classtype:trojan-activity; sid:109; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR poison ivy 2.3.0 runtime detection - server connection"; flow:to_client,established; flowbits:isset,PoisonIvy2.3.0_serverDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179; classtype:trojan-activity; sid:12702; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR poison ivy 2.3.0 runtime detection - server connection"; flow:to_server,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_serverDetection; flowbits:noalert; classtype:trojan-activity; sid:12701; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-MISC text/html content-type without HTML - possible malware C&C"; flow:established; content:"Content-Type|3A| text/html"; nocase; content:!"Content-Encoding|3A|"; nocase; file_data; content:!"html"; nocase; content:!"http"; nocase; content:!"xml"; nocase; content:!"var"; nocase; content:!"jpg"; nocase; classtype:non-standard-protocol; sid:16460; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED BACKDOOR c99shell.php command request"; flow:established,to_server; content:"act="; http_uri; pcre:"/[\x26\x3F]act=(cmd|search|upload|about|encoder|bind|ps_aux|ftpquickbrute|security|sql|eval|feedback|selfremove|fsbuff|ls|phpinfo)/Usmi"; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:12077; rev:4;) # alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DELETED DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED POLICY Inbound potentially malicious file download attempt"; flow:to_server,established; content:"GET /"; nocase; pcre:"/^GET \x2F[^\r\n\x3F]+\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/smi"; classtype:suspicious-filename-detect; sid:13592; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"DELETED POLICY Potentially unauthorized file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Autonomy KeyView SDK Excel file SST parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.xls; content:"|FC 00|"; byte_test:4,>,0x10000000,6,relative,little; reference:bugtraq,36042; reference:cve,2009-3037; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21396492; classtype:attempted-user; sid:16458; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access"; flow:established,to_client; content:"S|00|a|00|f|00|e|00|A|00|n|00|d|00|S|00|o|00|u|00|n|00|d|00|A|00|T|00|L|00|.|00|N|00|i|00|x|00|o|00|n|00|C|00|o|00|n|00|f|00|i|00|g|00|M|00|g|00|r|00|E|00|x|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3707; classtype:attempted-user; sid:12098; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access"; flow:established,to_client; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Fill|DebugMsgLog)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m4)(\s|>).*(?P=id2)\.(Fill|DebugMsgLog))\s*\(/si"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3707; classtype:attempted-user; sid:12095; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access"; flow:established,to_client; content:"SafeAndSoundATL.NixonConfigMgrEx"; pcre:"/(?P\w+)\s*=\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Fill|DebugMsgLog)\s*|.*(?P=v)\s*\.\s*(Fill|DebugMsgLog)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\)(\s*\.\s*(Fill|DebugMsgLog)\s*|.*(?P=n)\s*\.\s*(Fill|DebugMsgLog)\s*)\s*\(/smi"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3707; classtype:attempted-user; sid:12097; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access"; flow:established,to_client; content:"5|00|9|00|D|00|B|00|D|00|D|00|A|00|6|00|-|00|9|00|A|00|8|00|0|00|-|00|4|00|2|00|A|00|4|00|-|00|B|00|8|00|2|00|4|00|-|00|9|00|B|00|C|00|5|00|0|00|C|00|C|00|1|00|7|00|2|00|F|00|5|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; reference:bugtraq,24217; reference:bugtraq,24274; reference:bugtraq,24848; reference:bugtraq,24883; reference:cve,2007-2987; reference:cve,2007-3707; classtype:attempted-user; sid:12096; rev:4;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"DELETED BACKDOOR flux 1.0 runtime detection"; flow:to_client,established; content:"|1A 01 00 00|"; depth:4; classtype:trojan-activity; sid:7611; rev:7;) # alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"DELETED INFO Connection Closed MSG from Port 80"; flow:to_client,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED INFO web bug 1x1 gif attempt"; flow:to_client,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED BEA WebLogic Apache connector HTTP version denial of service attempt"; flow:to_server,established; content:!"?"; http_uri; content:"HTTP/"; nocase; pcre:"/^[^\n]*\sHTTP\x2f[^\n]*\x3f/i"; reference:cve,2008-5457; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html; classtype:denial-of-service; sid:15263; rev:5;) # alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"DELETED ISS RealSecure 6 event collector connection attempt"; flow:to_client,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:5;) # alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"DELETED ISS RealSecure 6 daemon connection attempt"; flow:to_client,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"DELETED P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"DELETED P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"DELETED P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:9;) # alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"DELETED P2P napster upload request"; flow:to_client,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:10;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"DELETED P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:8;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"DELETED P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:7;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"DELETED P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:8;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"DELETED P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:9;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"DELETED P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"DELETED P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"DELETED FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP possible BDAT DoS attempt"; flow:to_server,established; content:"BDAT"; nocase; pcre:"/^BDAT/smi"; byte_jump:2,1,relative,string,dec; content:!"|0D 0A|"; within:2; reference:bugtraq,4204; reference:cve,2002-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms02-012; classtype:denial-of-service; sid:10995; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"DELETED SQL Jive Software Openfire Jabber Server SQL injection attempt"; flow:to_server,established; content:"GET"; nocase; content:"%"; within:300; pcre:"/GET\s+[^\s]*(username|numa|numb|type)[^\s]*\x25/smi"; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-user; sid:16450; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT JPEG transfer"; flow:to_client,established; content:"image/"; nocase; pcre:"/^Content-Type\x3a(\s*|\s*\r?\n\s+)image\x2fp?jpe?g/smi"; flowbits:set,file.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT HTML DOM invalid DHTML element creation attempt"; flow:to_client,established; content:"createElement"; pcre:"/(\w+)\s*=\s*\w+\.createElement\(((\x22\x22|\x27\x27)|([A-z]\w*))\)\s*\;.*?\w+\.(insertBefore|insertAfter|appendChild)\(\1\)\;|\w\.(insertBefore|insertAfter|appendChild)\(\w+\.createElement\(((\x22\x22|\x27\x27)|([A-z]\w*))\)/s"; reference:bugtraq,13120; reference:cve,2005-0553; reference:nessus,10861; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-020; classtype:attempted-user; sid:3549; rev:16;) # alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"DELETED WEB-CLIENT Ultravox-Max-Msg header integer overflow attempt"; flow:to_client,established; content:"Ultravox-Max-Msg|3A|"; nocase; byte_test:10,>,65535,0,relative,string; reference:bugtraq,20744; reference:cve,2006-5567; reference:url,www.winamp.com/player/version_history.php; classtype:attempted-user; sid:9435; rev:3;) # alert tcp $EXTERNAL_NET 8090 -> $HOME_NET any (msg:"DELETED WEB-CLIENT Ultravox-Max-Msg header integer overflow attempt"; flow:to_client,established; content:"Ultravox-Max-Msg|3A|"; nocase; byte_test:10,>,65535,0,relative,string; reference:bugtraq,20744; reference:cve,2006-5567; reference:url,www.winamp.com/player/version_history.php; classtype:attempted-user; sid:9436; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT midi file download attempt"; flow:to_client,established; content:"Content|2D|Type|3A|"; nocase; http_header; content:"audio/midi"; within:20; fast_pattern; http_header; flowbits:set,file.mid; flowbits:noalert; classtype:misc-activity; sid:16026; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS scripts access"; flow:to_server,established; content:"/scripts/"; nocase; http_uri; classtype:web-application-activity; sid:1287; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED viewcode.jse access"; flow:to_server,established; content:"/viewcode.jse"; http_uri; reference:bugtraq,3715; reference:cve,2001-1580; classtype:web-application-activity; sid:1389; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC viewcode access"; flow:to_server,established; content:"/viewcode"; http_uri; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC showcode access"; flow:to_server,established; content:"/showcode"; http_uri; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-attack; sid:1404; rev:12;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR fkwp 2.0 runtime detection - connection success"; flow:to_client,established; flowbits:isset,fkwp_conn_cts; dsize:<10; content:"SUC"; depth:3; nocase; reference:url,www.spywareguide.com/spydet_3088_eltc_editorfkwp.html; classtype:trojan-activity; sid:6033; rev:7;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR fkwp 2.0 runtime detection - connection attempt server-to-client"; flow:to_client,established; flowbits:isset,fkwp_conn_cts; dsize:<10; content:"FAI"; depth:3; nocase; classtype:trojan-activity; sid:6031; rev:8;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR minicommand runtime detection - directory listing server-to-client"; flow:to_client,established; content:"minicommand"; nocase; content:"fileserver"; distance:0; nocase; content:"ready"; distance:0; nocase; pcre:"/minicommand\s+fileserver\s+ready\.\r\n/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6036; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR fkwp 2.0 runtime detection - connection attempt client-to-server"; flow:to_server,established; dsize:<10; content:"AUTH"; depth:4; nocase; flowbits:set,fkwp_conn_cts; flowbits:noalert; reference:url,www.spywareguide.com/spydet_3088_eltc_editorfkwp.html; classtype:trojan-activity; sid:6030; rev:7;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR optixlite 1.0 runtime detection - connection failure server-to-client"; flow:to_client,established; flowbits:isset,optixlite_suc_conn_cts; content:"password"; depth:8; nocase; pcre:"/^password\x3B0\x3BIncorrect\s+password/smi"; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6068; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:to_client,established; content:"xr"; depth:2; nocase; flowbits:set,backdoor.hellzaddiction.1.0E.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6140; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR freak 1.0 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"026"; depth:3; nocase; flowbits:set,freak_cts; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6072; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR optixlite 1.0 runtime detection - connection success client-to-server"; flow:to_server,established; content:"password|3B|"; depth:9; nocase; flowbits:set,optixlite_suc_conn_cts; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1577; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26952; classtype:trojan-activity; sid:6065; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR minicommand runtime detection - initial connection client-to-server"; flow:to_server,established; content:"login^"; depth:6; flowbits:set,MiniCommand.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6034; rev:5;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"DELETED BACKDOOR omerta 1.3 runtime detection"; flow:to_client,established; flowbits:isset,Omerta_1_3_conn_2; content:"connect|7C|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6501; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR small uploader 1.01 runtime detection - get server information - flowbit set"; flow:to_server,established; content:"SrvInfo"; nocase; flowbits:set,smalluploader_srvinfo; flowbits:noalert; reference:url,www.www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7652; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR forced control uploader runtime detection directory listing"; flow:to_server,established; flowbits:isset,Forced_Control_Uploader_Dir4; content:"EOF"; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7790; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR forced control uploader runtime detection - connection with password - flowbit set"; flow:to_server,established; content:"PWD"; depth:3; flowbits:set,Forced_Control_Uploader_Password; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7784; rev:3;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"DELETED BACKDOOR forced control uploader runtime detection directory listing - flowbit set 2"; flow:to_client,established; flowbits:isset,Forced_Control_Uploader_Dir1; content:"ULL["; flowbits:set,Forced_Control_Uploader_Dir2; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7787; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR forced control uploader runtime detection directory listing - flowbit set 1"; flow:to_server,established; content:"DIR"; flowbits:set,Forced_Control_Uploader_Dir1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7786; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR data rape runtime detection - execute program client-to-server"; flow:to_server,established; content:"063"; depth:3; nocase; flowbits:set,Data_Rape_Execute_Program; flowbits:noalert; reference:url,www.megasecurity.org/trojans/d/datarape/Datarape1.0f.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076909; classtype:trojan-activity; sid:7768; rev:3;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR diems mutter runtime detection - server-to-client"; flow:to_client,established; flowbits:isset,DiemsMutter; content:"v|3B|"; depth:2; nocase; pcre:"/^v\x3B\d+\x2E\d+\x3B/smi"; reference:url,www.megasecurity.org/trojans/d/diemsmutter/Diemsmutter1.4.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=16111; classtype:trojan-activity; sid:7657; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR bionet 4.05 runtime detection - file manager - flowbit set"; flow:to_server,established; content:"|00 00 00 FF 00 01 00 01 FD 12 00|"; flowbits:set,BioNet4_05_fm; flowbits:noalert; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7736; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR beast 2.02 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"666"; depth:3; flowbits:set,beast_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075851; classtype:trojan-activity; sid:7756; rev:3;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR analftp 0.1 runtime detection - initial connection"; flow:to_client,established; content:"Anal"; nocase; content:"FTP"; distance:0; nocase; pcre:"/^\d+\s+Anal\s+FTP\s+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59411; classtype:trojan-activity; sid:7761; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR diems mutter runtime detection - client-to-server"; flow:to_server,established; content:"v|3B|"; depth:2; nocase; flowbits:set,DiemsMutter; flowbits:noalert; reference:url,www.megasecurity.org/trojans/d/diemsmutter/Diemsmutter1.4.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=16111; classtype:trojan-activity; sid:7656; rev:3;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR beast 2.02 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,beast_conn; content:"666"; depth:3; pcre:"/^666\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075851; classtype:trojan-activity; sid:7757; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR small uploader 1.01 runtime detection - remote shell - flowbit set"; flow:to_server,established; content:"DoScAp"; nocase; flowbits:set,smalluploader_remotesh; flowbits:noalert; reference:url,www.www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7654; rev:4;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR bionet 4.05 runtime detection - file manager"; flow:to_client,established; flowbits:isset,BioNet4_05_fm; content:"|00 00 00 01 01 00 01 00 00 00|"; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7737; rev:4;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR small uploader 1.01 runtime detection - get server information"; flow:to_client,established; flowbits:isset,smalluploader_srvinfo; content:"SrvInfoFearless"; nocase; content:"Lite"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/SrvInfoFearless\s+Lite\s+Server/smi"; reference:url,www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7653; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR nightcreature beta 0.01 runtime detection"; flow:to_server,established; content:""; depth:4; nocase; flowbits:set,nightcreature.conn.step1; flowbits:noalert; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7819; rev:3;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR nightcreature beta 0.01 runtime detection"; flow:to_client,established; flowbits:isset,nightcreature.conn.step1; content:"ok"; depth:6; nocase; flowbits:set,nightcreature.conn.step2; flowbits:noalert; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7820; rev:4;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR small uploader 1.01 runtime detection - remote shell"; flow:to_client,established; flowbits:isset,smalluploader_remotesh; content:"DoScAp"; nocase; reference:url,www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7655; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED Palm WebOS 1.2.0 floating point exception denial of service attempt"; flow:to_client,established; content:"http-equiv"; fast_pattern; content:"Content-Length|3A|"; byte_test:10,>,50279,0,relative,string; pcre:"/]+http-equiv\s*=\s*(["'])refresh\1[^>]*content\s*=\s*(["'])[0-9]\2/smi"; reference:url,kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#121; reference:url,tlhsecurity.blogspot.com/2009/10/palm-pre-webos-version-11-floating.html; classtype:attempted-dos; sid:16451; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] (msg:"DELETED EXPLOIT Microsoft Active Directory LDAP query handling denial of service"; flow:to_server,established; content:"40.1.113730.3.4.2"; reference:cve,2008-0088; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-003; classtype:denial-of-service; sid:16433; rev:3;) # alert tcp $HOME_NET any -> [128.118.25.3,128.138.140.44,128.2.129.21,128.2.136.71,128.206.12.130,128.59.59.177,129.132.2.21,130.235.20.3,130.88.200.6,130.88.200.98,131.188.3.221,131.188.3.223,131.216.1.101,132.163.4.101,132.163.4.102,132.163.4.103,132.236.56.250,132.246.168.148] 37 (msg:"DELETED VIRUS Possible Sober virus set one NTP time check attempt"; flow:stateless; flags:S,12; classtype:unusual-client-port-connection; sid:5321; rev:7;) # alert tcp $HOME_NET any -> [132.246.168.164,138.96.64.10,142.3.100.15,146.164.48.1,148.6.0.1,150.254.183.15,161.53.30.3,162.23.41.34,18.7.21.144,192.43.244.18,192.53.103.103,192.53.103.104,192.53.103.107,193.2.1.66,193.204.114.105,193.204.114.233,194.137.39.69,198.60.22.240] 37 (msg:"DELETED VIRUS Possible Sober virus set two NTP time check attempt"; flow:stateless; flags:S,12; classtype:unusual-client-port-connection; sid:5322; rev:5;) # alert tcp $HOME_NET any -> [198.72.72.10,200.254.135.2,208.14.208.19,209.87.233.53,213.239.201.102,216.193.203.2,69.25.96.13] 37 (msg:"DELETED VIRUS Possible Sober virus set three NTP time check attempt"; flow:stateless; flags:S,12; classtype:unusual-client-port-connection; sid:5323; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED VIRUS Possible Sober virus set two call home attempt"; flow:to_server,established; content:".exe"; http_uri; pcre:"/\x2f(?=[abdefijoqrsuvwxz])(d(ixqshv\x2fqzccs|yddznydqir\x2fevi)|f(seqepagqfphv\x2fsfd|ulmxct\x2fmqoyc)|i(ohgdhkzfhdzo\x2fuwp|yxegtd\x2fefcwg)|j((bevgezfmegwy\x2fnt|mqnqgijmng\x2foj)a|hjhgquqssq\x2fpjm|pjpoptwql\x2frlnj)|s(mtmeihf\x2fhiuxz|vclxatmlhavj\x2fvsy)|(aohobygi\x2fzwiw|rprpgbnrppb\x2fci)f|bnymomspyo\x2fzowy|eveocczmthmmq\x2fomzl|ocllceclbhs\x2fgth|(qlqqlbojvii\x2fgt|xbqyosoe\x2fcpvm)i|urfiqileuq\x2ftjzu|(vvvjkhmbgnbbw\x2fqbn|wjpropqmlpohj\x2flo)q|zzzvmkituktgr\x2fetie)\.exe/U"; classtype:suspicious-filename-detect; sid:5324; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED VIRUS Possible Sober virus set one call home attempt"; flow:to_server,established; content:"/"; http_uri; pcre:"/\x2f(?=[defghilmnoqrstwz])(m(ookflolfctm\x2fnmot\.fmu|clvompycem\x2fcen\.vcn)|e(etbuviaebe\x2feqv\.bvv|mcndvwoemn\x2flvv\.jde)|s(fhfksjzsfu\x2fahm\.uqs|rvziadzvzr\x2fsaei\.vvt)|n(kxlvcob\x2fkmpk\.ibl|pgwtjgxwthx\x2fbyb\.xky|hirmvtg\x2fggqh\.kqh)|(wlpgskmv\x2flwzo\.qv|gdvsotuqwsg\x2fdxt\.hd)g|(twfofrfzlugq\x2feve\.qd|doarauzeraqf\x2fvvv\.ul|qisezhin\x2fiqor\.ym)v|fowclxccdxn\x2fuxwn\.ddy|lnzzlnbk\x2fpkrm\.fin|iufilfwulmfi\x2friuf\.lio|(hsdszhmoshh\x2flhr\.cn|oakmanympnw\x2flnkd\.pk)h|riggiymd\x2fwdhi\.vhi|zmnjgmomgbdz\x2fzzmw\.gzt)/U"; classtype:suspicious-filename-detect; sid:5320; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:13;) # alert tcp $EXTERNAL_NET [1863,3128,80,8080] -> $HOME_NET any (msg:"DELETED CHAT Pidgin MSN P2P message 64bit integer overflow attempt"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"P2P-Dest"; nocase; pcre:"/^P2P-Dest[^\n]*\n\r?\n/msi"; byte_test:1,&,0x80,15,relative; reference:bugtraq,35067; reference:cve,2009-1376; reference:cve,2009-2694; classtype:attempted-user; sid:15895; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT Microsoft Word file download request"; flow:to_server, established; content:"GET"; nocase; content:".doc"; nocase; http_uri; flowbits:set,doc.download; flowbits:noalert; classtype:misc-activity; sid:13789; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:9;) # alert ip 66.151.158.177 any -> $HOME_NET any (msg:"DELETED POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3559; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3556; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3557; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3554; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3558; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3561; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3555; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:3560; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4397; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4474; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4475; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4390; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4445; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4405; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4447; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4401; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4453; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4389; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4411; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4456; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4460; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4465; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4399; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4391; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4412; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4476; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4467; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4394; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4464; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4454; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4446; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4448; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4385; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4406; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4402; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4470; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4381; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4471; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4408; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4450; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4384; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4463; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4395; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4388; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4457; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4387; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4451; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4392; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4409; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4462; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4383; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4472; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4396; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4473; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4466; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4398; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4458; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4452; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4407; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4469; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4459; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4393; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4386; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4400; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4410; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4449; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4403; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4468; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4461; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4404; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4382; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.spoolss; flowbits:noalert; classtype:bad-unknown; sid:4455; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7337; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7398; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7419; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7409; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7361; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7352; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7402; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7334; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7382; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7385; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7412; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7324; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7318; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7360; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7400; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7379; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7401; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7346; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7383; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7307; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7363; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7411; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7399; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7376; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7391; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7316; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7335; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7327; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7366; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7375; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7410; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7420; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7389; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7312; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7417; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7347; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7368; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7404; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7308; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7377; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7355; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7313; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7306; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7326; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7344; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7388; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7348; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7384; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7374; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7403; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7309; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7305; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7317; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7332; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7345; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7364; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7405; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7314; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7310; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7354; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7349; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7416; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7329; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7373; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7321; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7333; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7393; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7338; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7387; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7311; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7406; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7367; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7315; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7342; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7395; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7415; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7320; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7357; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7351; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7390; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7356; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7369; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7372; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7418; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7330; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7343; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7386; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7328; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7378; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7350; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7319; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7396; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7339; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7380; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7407; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7359; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7323; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7371; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7414; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7331; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc WriteAndX unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7340; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7362; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7413; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7353; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7397; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7392; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7381; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7408; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7336; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7394; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7341; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7325; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7358; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7365; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7370; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; distance:29; flowbits:set,dce.bind.srvsvc; flowbits:noalert; classtype:bad-unknown; sid:7322; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8892; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8899; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8884; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8889; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8923; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8912; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8867; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8894; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8904; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8860; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8858; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8906; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8865; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8914; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8920; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8875; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8909; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8885; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8880; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8870; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8863; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8898; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8903; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8877; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8882; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8879; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8868; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8916; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8893; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8872; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8900; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8887; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8924; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8918; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8896; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8911; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8913; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8891; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8857; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8910; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8866; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8874; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8881; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8888; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8922; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8907; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8861; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8915; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8890; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8897; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8905; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8883; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8921; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8859; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8895; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8876; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8902; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8908; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8878; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8862; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8871; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8917; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8919; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8869; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8886; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8864; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8901; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; distance:29; flowbits:set,dce.bind.wkssvc; flowbits:noalert; classtype:bad-unknown; sid:8873; rev:7;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"FROM|3A|"; nocase; isdataat:256,relative; pcre:"/^\s*MAIL\s+FROM\x3A[^\n]{256}/mi"; reference:bugtraq,10290; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:6;) # alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"DELETED BACKDOOR Kraken command and control server search attempt"; flow:to_server; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,240,2; pcre:"/(((\x06dyndns|\x02yi)\x03org)|((\x07dynserv|\x04mooo)\x03com))/"; detection_filter:track by_src,count 10,seconds 30; reference:url,www.securityfocus.com/brief/743; classtype:trojan-activity; sid:15486; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:8;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/kb/q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:14;) # alert ip any any <> 127.0.0.0/8 any (msg:"DELETED BAD-TRAFFIC loopback traffic"; reference:url,www.sans.org/reading_room/whitepapers/firewalls/1059.php; classtype:bad-unknown; sid:528; rev:10;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:10;) # alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"DELETED BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:13;) # alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DELETED DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-091; reference:url,www.cert.org/advisories/CA-2000-21.html; classtype:attempted-dos; sid:275; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR gwboy 0.92 runtime detection"; flow:to_client,established; flowbits:isset,GWBoy_InitConnection1; content:"|01|"; depth:1; flowbits:set,GWBoy_InitConnection2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7102; rev:6;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"DELETED BACKDOOR flux 1.0 runtime detection - keep alive - flowbit set"; flow:to_client,established; content:"|01 00 00 00|"; depth:4; flowbits:set,flux10.5; flowbits:noalert; classtype:trojan-activity; sid:7614; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR flux 1.0 runtime detection - initial connection - flowbit 1"; flow:to_server,established; content:"|01 00 01|"; depth:3; flowbits:set,flux10.1; flowbits:noalert; classtype:trojan-activity; sid:7610; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR exception 1.0 runtime detection - initial connection server-to-client"; flow:to_client,established; flowbits:isset,exception_conn; content:"|00 00 01|"; depth:3; content:"|FF|"; within:1; distance:1; reference:url,www.megasecurity.org/trojans/e/exception/Exception1.0b1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099; classtype:trojan-activity; sid:7694; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR exception 1.0 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"|00 00 01 FF|"; depth:4; flowbits:set,exception_conn; flowbits:noalert; reference:url,www.megasecurity.org/trojans/e/exception/Exception1.0b1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099; classtype:trojan-activity; sid:7693; rev:4;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"DELETED BACKDOOR flux 1.0 runtime detection - successful initial connection"; flow:to_client,established; flowbits:isset,flux10.3; content:"|01 00 00 00|"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=811; classtype:trojan-activity; sid:7613; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR flux 1.0 runtime detection - keep alive"; flow:to_server,established; flowbits:isset,flux10.5; content:"|10 00 00 00|"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=811; classtype:trojan-activity; sid:7615; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Apache http server mod_proxy http request crafted date handling denial of service attempt"; flow:to_server,established; content:"If-Modified-Since|3A| "; pcre:"/^If-Modified-Since\x3a (?!((Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9 ]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tues|Wednes|Thurs|Fri|Satur)day, [0-9]{2}[- ](Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)[- ]([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9 ][0-9] [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} [0-9]{4}|(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2}))/sm"; reference:bugtraq,25489; reference:cve,2007-3847; reference:url,httpd.apache.org/security/vulnerabilities_20.html; classtype:denial-of-service; sid:13309; rev:6;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC Apache http server mod_proxy http response crafted date handling denial of service attempt"; flow:to_client,established; content:"Last-Modified|3A| "; pcre:"/^Last-Modified\x3a (?!((Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9 ]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tues|Wednes|Thurs|Fri|Satur)day, [0-9]{2}[- ](Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)[- ]([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9 ][0-9] [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} [0-9]{4}|(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2}))/sm"; reference:bugtraq,25489; reference:cve,2007-3847; reference:url,httpd.apache.org/security/vulnerabilities_20.html; classtype:denial-of-service; sid:13311; rev:7;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED WEB-MISC Apache http server mod_proxy http response crafted date handling denial of service attempt"; flow:to_client,established; content:"Date|3A| "; pcre:"/^Date\x3a (?!((Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9 ]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tues|Wednes|Thurs|Fri|Satur)day, [0-9]{2}[- ](Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)[- ]([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} ([ECMP]S|GM)T|(Sun|Mon|Tue|Wed|Thu|Fri|Sat) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9 ][0-9] [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2} [0-9]{4}|(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]?[0-9] (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) ([0-9]{2}|[0-9]{4}) [0-9]{2}\x3A[0-9]{2}\x3A[0-9]{2}))/sm"; reference:bugtraq,25489; reference:cve,2007-3847; reference:url,httpd.apache.org/security/vulnerabilities_20.html; classtype:denial-of-service; sid:13310; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Firefox XML parser memory corruption attempt"; flow:to_client,established; content:"<"; pcre:"/(\x3c[a-zA-Z\x5f][a-zA-Z0-9\x5f]*[^\x3e]*[^\x2f]\x3e){50,}/"; pcre:!"/(\x3c\x2f){50,}/"; reference:cve,2009-1232; classtype:attempted-dos; sid:15447; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC cross site scripting attempt"; flow:to_server,established; content:" $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2193; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2491; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2492; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2493; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2524; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2509; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2510; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2525; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2512; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2526; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2513; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2514; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2956; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2957; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2929; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2958; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2930; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2959; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2931; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2960; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2932; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2961; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2933; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2962; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2934; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2963; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2935; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2964; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2965; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2946; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2966; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2967; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2947; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2937; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2968; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2969; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2948; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2938; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2970; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2971; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2949; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2939; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2984; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2174; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2985; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2175; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2986; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2476; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2987; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2477; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2988; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2940; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2989; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2941; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2990; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2478; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2991; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2479; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2992; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2993; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2943; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2994; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2944; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2995; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2945; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2996; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2482; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2997; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2483; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2998; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2480; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2999; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2481; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3090; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3091; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3092; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3093; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3094; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3095; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3096; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3097; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3098; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3099; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3100; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3101; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3102; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3103; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3104; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3105; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3106; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3107; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3108; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3109; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3110; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3111; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3112; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:3113; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3115; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3116; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3117; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3118; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3119; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3120; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3121; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3122; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3123; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3124; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3125; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3126; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3127; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3128; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3129; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3163; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3185; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 irot IrotIsRunning overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3256; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3431; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3421; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3241; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3419; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot IrotIsRunning overflow attempt"; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3260; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3413; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3180; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3406; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3205; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3211; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3384; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3217; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3416; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3170; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3160; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3377; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3428; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3233; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3435; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3178; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3183; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3245; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3412; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3386; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3166; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3392; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3227; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3203; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3226; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3208; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3430; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3389; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 4 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3174; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3275; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3415; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3439; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3162; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3186; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3230; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3383; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3231; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3216; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3378; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3427; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3402; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3423; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3222; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3204; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3210; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3240; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3396; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot IrotIsRunning little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3259; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3411; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3223; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3405; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3244; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3385; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3380; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3184; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3440; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3426; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3189; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3179; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 4 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3175; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 4 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3167; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3432; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3228; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3202; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3420; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3401; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3390; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 4 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3172; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3207; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3391; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3232; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3224; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot IrotIsRunning overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3258; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3176; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3379; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3213; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3422; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3436; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3190; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3165; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3243; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3425; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3418; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3395; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3408; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3215; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3394; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3433; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3187; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3236; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3181; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3168; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3414; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3388; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3382; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3229; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3276; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3429; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3220; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3404; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3219; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3212; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3206; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3399; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3169; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot IrotIsRunning little endian overflow attempt"; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3261; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 irot IrotIsRunning little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3257; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3417; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3410; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3437; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msqueue function 4 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3173; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3161; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3400; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3225; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3214; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3434; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:3393; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3424; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3221; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3242; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3182; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3177; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3387; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3403; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3209; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3407; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:3381; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3191; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3438; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; distance:29; flowbits:set,dce.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3237; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3164; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3188; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject little endian overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3596; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3592; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject little endian object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3601; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 mqqm QMDeleteObject overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3597; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3593; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 mqqm QMDeleteObject overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3595; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3594; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3598; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3599; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:nessus,18027; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3600; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6106 (msg:"DELETED NETBIOS DCERPC DIRECT veritas bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; reference:bugtraq,14020; reference:cve,2005-0771; reference:url,www.idefense.com/application/poi/display?id=269&type=vulnerabilities; classtype:protocol-command-decode; sid:3699; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6106 (msg:"DELETED NETBIOS DCERPC DIRECT veritas little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; reference:bugtraq,14020; reference:cve,2005-0771; reference:url,www.idefense.com/application/poi/display?id=269&type=vulnerabilities; classtype:protocol-command-decode; sid:3700; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6106 (msg:"DELETED NETBIOS DCERPC DIRECT veritas little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; reference:bugtraq,14020; reference:cve,2005-0771; reference:url,www.idefense.com/application/poi/display?id=269&type=vulnerabilities; classtype:protocol-command-decode; sid:3698; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3957; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4087; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4086; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4003; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3844; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4012; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3889; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3879; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3836; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4066; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4097; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4001; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4102; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4094; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3862; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3849; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3851; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4113; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3970; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4109; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3884; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3829; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4067; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4115; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3963; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3960; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3848; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3983; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4006; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3969; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4116; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4106; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3995; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4076; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3832; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3954; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4081; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3880; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3883; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3988; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4122; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3974; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3870; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3891; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3839; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4063; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3953; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4098; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4093; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3863; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4000; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3992; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3975; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4071; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4015; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3855; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4085; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3843; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4065; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4009; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3982; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4079; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4114; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3828; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3852; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4101; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3850; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3878; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4105; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4013; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4117; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3996; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4075; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3875; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3962; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3842; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3968; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3867; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3835; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4110; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3882; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3847; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3856; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4121; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3888; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3972; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3887; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3955; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3987; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4099; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3858; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3838; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4104; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3958; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4092; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3831; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4080; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3985; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4005; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3998; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4089; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4074; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3965; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3864; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3846; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4078; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3868; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4124; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4070; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3976; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3859; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4095; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3877; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4069; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4091; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3885; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4014; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4062; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4108; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3841; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3861; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3981; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4008; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3834; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4084; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4111; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4118; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3993; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3874; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4068; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4112; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3830; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4120; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3986; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3984; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4100; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3881; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4107; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3854; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3872; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3964; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3956; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3886; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3890; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3871; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3860; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4010; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3999; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4002; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3866; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3997; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4096; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_DetectResourceConflict little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4103; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4004; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4073; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3978; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3845; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|5"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4061; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3865; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4088; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3857; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4011; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3837; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3990; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3840; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4090; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3833; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4007; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3876; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3952; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3991; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4082; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4123; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3979; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3959; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3989; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_DetectResourceConflict little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4119; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|5"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4077; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_DetectResourceConflict WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4083; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3873; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3994; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3980; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_DetectResourceConflict WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"5|00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,32,16,little,relative; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4064; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3966; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3961; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3977; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3853; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3869; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:2507; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2350; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3157; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:2351; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:3156; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:2352; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:2192; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3198; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:3197; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4361; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4340; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4362; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4293; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4319; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4261; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4269; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4335; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4258; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4353; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4323; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4328; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4272; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4304; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4356; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4343; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4376; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4243; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4369; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4342; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4291; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4313; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4242; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4324; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4287; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4276; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4294; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4309; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4347; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4314; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4239; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4253; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4250; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4298; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4247; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4283; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4332; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4372; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4329; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4377; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4284; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4259; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4350; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4273; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4360; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4365; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4285; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4359; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4357; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4299; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4311; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4320; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4262; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4303; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4251; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4288; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4254; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4277; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4270; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4368; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4292; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4354; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4310; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4374; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4373; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4331; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4238; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4346; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4308; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4315; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4266; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4325; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4379; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4316; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4249; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4321; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4302; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4337; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4339; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4330; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4345; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4286; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4263; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4351; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4256; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4274; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4301; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4326; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4295; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4255; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4307; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4237; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4355; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4349; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4380; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4281; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4370; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4264; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4271; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4364; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4322; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4267; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4367; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4244; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4278; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4338; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4336; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4296; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4375; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4248; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4378; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4317; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4260; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4268; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4240; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4327; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4257; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4275; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4300; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4363; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4344; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4290; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4318; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4280; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4265; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.msdtc; flowbits:noalert; classtype:protocol-command-decode; sid:4241; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceListSize WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4371; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4333; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4297; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4305; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4289; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4306; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4348; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4279; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:4252; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4341; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceListSize WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4312; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4282; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceListSize WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4352; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceListSize WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15065; reference:cve,2005-2120; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-047; classtype:protocol-command-decode; sid:4366; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4628; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4564; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4537; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4501; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4519; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4423; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4591; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4429; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4570; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4604; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4567; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4506; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4552; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4515; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4582; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4416; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4504; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4613; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4625; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4422; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4539; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4491; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4595; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4587; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4484; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4533; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4617; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4434; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4609; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4436; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4548; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4478; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4481; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4560; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4479; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4542; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4555; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4622; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4441; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4621; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4490; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4579; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4509; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4522; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4566; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4586; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4565; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4597; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4521; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4529; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4632; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4590; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4610; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4512; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4495; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4500; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4541; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4618; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4439; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4629; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4624; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4507; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4514; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4605; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4620; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4426; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4578; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4489; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4526; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4593; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4635; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4499; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4531; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4596; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4525; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4494; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4558; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4536; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4505; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4417; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4581; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4421; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4561; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4553; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4483; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4549; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4480; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4606; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4543; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4433; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4428; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4435; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4598; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4511; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4574; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4425; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4611; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4498; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4532; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4556; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4520; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4518; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4442; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4544; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4585; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4557; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4418; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4431; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4550; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4602; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4580; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4443; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4438; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4599; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4569; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4486; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4623; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4547; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4619; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4508; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4493; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4562; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4427; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4626; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4577; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4477; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4517; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4589; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4614; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4492; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4600; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4415; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4524; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4510; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4488; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4584; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4527; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4634; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4502; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4497; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4573; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4538; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4535; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4631; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4432; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4607; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"F|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4420; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4572; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4546; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4612; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4513; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4588; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4485; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinterEx unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4496; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4568; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4534; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4430; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4627; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4419; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4563; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4444; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4603; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4636; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4592; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4482; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4551; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4516; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4545; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4575; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4424; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinterEx andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00|F"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4437; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4576; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4594; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00|+"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4633; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4559; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs function 43 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4554; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4540; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4530; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4528; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4440; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4601; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4523; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinterEx little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4414; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|F"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,96,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4503; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4615; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; distance:29; flowbits:set,dce.bind.netware_cs; flowbits:noalert; classtype:protocol-command-decode; sid:4583; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs function 43 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4571; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs function 43 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,512,4,little,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4630; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs function 43 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,512,4,relative; reference:bugtraq,15066; reference:cve,2005-1985; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-046; classtype:attempted-admin; sid:4616; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinterEx unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"F|00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{8})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,96,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:4487; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4709; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4704; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4784; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4806; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4811; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4686; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4779; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4772; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4770; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4764; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4797; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4750; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4714; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4801; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4752; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4742; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4719; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4815; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4757; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4739; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4708; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP locator alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4682; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4783; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4718; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4791; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4798; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4805; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin little endian overflow attempt"; flowbits:isset,dce.bind.locator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4822; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4693; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4776; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4793; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4717; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4738; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4722; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4729; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4810; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4751; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4789; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4687; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4824; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4747; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4818; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4703; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4800; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4796; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4787; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4735; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4698; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4771; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4767; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4773; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4758; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4712; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4768; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP locator bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4683; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4777; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4809; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4814; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4744; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4743; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4753; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt"; flowbits:isset,dce.bind.locator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4823; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4734; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4763; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4790; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4731; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4702; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4726; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4804; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4819; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4792; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4707; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4694; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4713; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4782; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4788; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4774; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4813; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4761; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4766; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4759; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4730; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4820; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4795; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4699; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4721; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4688; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4740; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4808; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4786; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4737; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4733; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4781; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4716; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4706; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4778; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4748; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4695; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4696; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4803; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4725; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4690; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4762; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4769; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4728; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4817; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4745; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4821; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4794; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP locator little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4684; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4785; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4692; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4701; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 locator nsi_binding_lookup_begin little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4756; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4710; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4760; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4741; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4689; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4736; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4812; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4807; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4723; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4705; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4697; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4724; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator nsi_binding_lookup_begin WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4765; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4749; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4711; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4799; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator nsi_binding_lookup_begin unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.locator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4802; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4780; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4715; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4700; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4720; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP locator little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4685; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4727; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 locator nsi_binding_lookup_begin little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4816; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 locator nsi_binding_lookup_begin WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4775; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4746; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB locator WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4691; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 locator nsi_binding_lookup_begin overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,6666; reference:cve,2003-0003; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-001; classtype:attempted-admin; sid:4825; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS locator WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|14 B5 FB D3 3B 0E CB 11 8F AD 08 00|+|1D 29 C3|"; distance:29; flowbits:set,dce.bind.locator; flowbits:noalert; classtype:protocol-command-decode; sid:4732; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4863; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4836; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4977; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4827; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4930; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4953; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4873; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4923; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4849; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4933; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4856; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4928; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4831; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4978; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4847; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4945; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4883; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4956; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4969; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4862; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4857; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4828; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4979; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4841; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4972; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4870; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4934; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4924; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4839; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4948; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4919; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4927; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4846; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4939; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4869; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4932; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4875; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4981; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4830; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4861; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4829; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4960; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4854; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4848; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4942; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4885; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4976; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4833; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4947; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4959; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4931; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4872; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList unicode little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4937; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4860; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4838; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4855; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4868; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4840; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4941; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4954; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4929; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4884; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4975; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4843; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4832; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4963; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4980; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4889; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4949; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4887; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4938; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4940; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4880; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4944; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4842; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4852; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4874; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4952; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4967; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4867; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4866; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4943; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4920; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4964; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4835; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4935; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4888; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4886; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4853; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4968; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4970; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4951; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4845; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4926; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList unicode little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4946; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList WriteAndX dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4921; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4871; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4955; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4961; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX unicode andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4966; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList unicode dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4936; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4865; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetDeviceList WriteAndX little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4965; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4858; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4850; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4950; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4882; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4878; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4876; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4834; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX unicode andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4958; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4837; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX little endian dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4925; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList unicode dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4922; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetDeviceList andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4974; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetDeviceList little endian andx dos attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4962; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4879; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4881; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr PNP_GetRootDeviceInstance WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4864; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetRootDeviceInstance unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4859; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 umpnpmgr PNP_GetRootDeviceInstance WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4851; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4844; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB umpnpmgr PNP_GetDeviceList WriteAndX little endian andx dos attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,256,4,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4957; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 umpnpmgr PNP_GetRootDeviceInstance unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,15460; reference:cve,2005-3644; reference:url,technet.microsoft.com/en-us/security/advisory/911052; classtype:protocol-command-decode; sid:4877; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5006; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5060; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5174; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5067; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5309; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5310; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4993; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5215; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5263; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5217; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5105; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5097; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5165; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5288; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5238; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5225; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5223; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5044; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5117; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5018; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5204; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5224; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5129; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5081; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5150; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5077; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4992; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5159; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5299; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5258; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5240; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5011; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5270; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5152; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5080; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4998; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5247; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5193; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5191; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5236; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5038; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5301; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation unicode attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5103; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5104; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5294; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5313; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5066; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5140; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5308; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5182; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5275; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5255; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5216; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5287; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5173; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5245; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5121; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5237; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5226; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5218; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5164; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4997; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5120; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5128; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4991; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5078; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5256; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5118; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5019; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5045; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt"; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5203; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5248; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5190; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5235; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5192; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5133; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5141; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5181; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5286; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5009; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5199; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5158; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5130; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5148; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5167; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5213; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5227; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5208; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5209; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5172; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5281; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5070; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5069; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5119; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5266; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5276; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5014; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5300; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5050; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5184; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5079; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5025; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5063; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5123; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5157; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5036; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5290; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5160; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5179; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5280; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5131; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4996; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5057; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5234; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5110; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5003; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5001; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5312; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5016; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5008; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5260; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5042; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5202; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5087; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5169; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5142; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5138; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5094; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5228; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5214; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5112; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5166; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5072; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5149; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5061; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5200; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5170; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5289; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5111; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5296; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5303; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5024; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5062; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5071; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5273; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5068; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5207; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5015; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5106; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5265; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5056; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5088; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5143; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5233; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5002; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5257; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5315; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5089; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5000; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5194; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5037; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5156; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5139; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5178; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5168; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5268; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5250; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5183; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5017; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5043; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5201; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5122; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5073; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5084; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5171; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5085; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5188; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5251; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5048; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5186; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5113; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5295; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5136; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5034; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5162; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4995; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5041; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5292; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5196; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5108; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5093; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5254; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5059; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5023; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5012; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5100; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5274; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5206; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5279; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5144; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5314; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5302; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5241; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5125; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5211; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5267; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5064; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5092; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5283; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5229; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5220; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5074; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5305; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5252; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5124; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5028; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5114; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsass alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5086; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5155; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5145; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5232; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5177; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5051; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5049; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5282; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5058; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5137; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5035; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5005; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5134; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5109; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsass DsRolerGetPrimaryDomainInformation attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5195; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5291; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5304; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5107; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5298; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5185; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5242; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5013; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5221; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5205; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5052; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5249; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5075; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5029; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5115; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5022; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5259; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5262; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5161; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5212; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5030; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5198; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5135; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5032; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5146; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5261; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5039; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5246; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5020; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5091; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5271; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5004; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5082; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5027; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5154; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5176; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5297; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5127; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5046; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5231; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5047; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5222; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsass bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5090; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5285; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5243; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX little endian attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5102; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5021; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5055; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5277; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5180; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5272; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5153; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5284; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5099; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerUpgradeDownlevelServer unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5293; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5253; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5269; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5053; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5031; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5147; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5197; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5132; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5033; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5007; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerUpgradeDownlevelServer little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5264; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5040; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5230; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5307; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5189; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5187; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5126; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5151; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5244; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5026; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4994; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5311; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsass little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5083; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5219; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5054; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5239; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerGetPrimaryDomainInformation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5163; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass DsRolerGetPrimaryDomainInformation unicode little endian attempt"; flowbits:isset,dce.bind.lsass; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5101; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsass DsRolerGetPrimaryDomainInformation little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5098; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5065; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5210; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass WriteAndX little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5076; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:5010; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsass bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; distance:29; flowbits:set,dce.bind.lsass; flowbits:noalert; classtype:protocol-command-decode; sid:4999; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsass DsRolerUpgradeDownlevelServer overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5306; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsass DsRolerGetPrimaryDomainInformation WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5116; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsass DsRolerGetPrimaryDomainInformation little endian andx attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5175; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsass DsRolerUpgradeDownlevelServer WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsass; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:5278; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5521; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5499; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5464; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5401; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5531; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5508; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5433; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5443; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5503; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5536; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5554; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5475; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5671; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5668; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5571; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5342; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5349; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5337; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5392; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5589; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5578; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 irot IrotRevoke little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5327; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5527; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5592; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5625; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5650; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5362; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5548; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5488; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5338; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5632; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5412; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5369; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5417; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5442; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5419; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5644; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5476; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5564; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5561; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5354; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5450; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5387; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5410; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5517; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5655; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5444; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5502; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5672; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5607; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5487; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5463; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5530; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5660; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5549; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5587; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5453; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5576; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5424; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5474; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5665; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5614; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5373; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5626; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5666; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5423; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5361; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5581; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5631; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5658; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5588; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5579; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5454; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5593; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5539; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5351; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5615; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5490; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5567; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5388; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5643; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5608; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5372; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5335; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5428; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5630; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5367; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5441; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5399; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5515; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5553; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5506; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5606; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5468; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5533; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5492; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5466; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5380; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5425; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5654; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5619; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5379; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5612; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5436; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5538; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5501; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5414; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5640; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5629; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5447; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5524; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5440; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5562; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5642; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5663; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5344; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5605; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5637; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5481; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5355; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5573; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5478; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5368; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5390; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 irot IrotRevoke overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5325; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5546; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5491; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5582; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5627; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5451; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5594; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5669; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5600; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5426; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5371; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5435; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5449; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5555; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5653; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5391; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5540; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5532; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5639; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5336; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5570; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5493; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5509; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5465; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5467; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5565; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5477; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5356; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5360; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5613; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5353; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5480; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5389; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5409; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5341; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5641; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5374; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5411; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5525; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5500; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5514; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5628; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5664; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5459; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5489; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5656; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5402; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5448; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5452; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5552; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5638; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5595; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5547; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5408; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5345; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5598; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5596; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5610; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5378; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5541; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5544; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5512; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5358; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5621; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5457; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5675; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5522; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5416; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5365; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5406; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5569; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5494; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5558; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5405; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5676; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5469; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5535; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5659; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5635; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5397; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5504; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5584; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5551; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5346; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5438; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5617; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5471; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5661; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5460; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5333; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5381; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5670; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5611; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5662; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5432; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5636; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5439; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5599; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5590; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5334; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5427; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5597; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5563; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5647; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot IrotRevoke overflow attempt"; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5330; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5568; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5604; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5513; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5458; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5622; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5620; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5482; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5413; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5523; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5483; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5437; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5648; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5339; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5534; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5507; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5495; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 irot IrotRevoke little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5328; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5400; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5430; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5550; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5382; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5528; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5420; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5572; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5407; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5518; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5398; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5583; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5618; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5343; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5377; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5560; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5623; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc LlsrConnect WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5455; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5577; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5404; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5510; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5418; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc LlsrConnect WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5473; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5340; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5385; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5359; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5609; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5352; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5347; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5370; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5652; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5646; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5559; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5364; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5542; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5556; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5586; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot IrotRevoke overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5329; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5591; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5633; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5519; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5557; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5603; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5376; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5393; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP irot IrotRevoke little endian overflow attempt"; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5331; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5462; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg OpenKey WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5616; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5383; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5421; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5496; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5545; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5649; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5395; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5537; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5674; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5574; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5445; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5486; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5580; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5657; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5543; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5516; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 18|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5645; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5366; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5386; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5415; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5667; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5484; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5601; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5357; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5350; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5566; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5529; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5624; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5456; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 winreg OpenKey overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5585; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 llsrpc2 LlsrLicenseRequestW WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5511; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5472; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5363; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5403; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 winreg InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:22; content:"|18 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5634; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5434; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 LlsrLicenseRequestW WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5520; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5348; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5429; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5498; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS winreg InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5651; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg InitiateSystemShutdown WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:5673; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5461; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5384; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5479; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5422; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP irot IrotRevoke little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,1024,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5332; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc2 unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5375; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5396; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:5602; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc2; flowbits:noalert; classtype:protocol-command-decode; sid:5394; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc LlsrConnect WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5446; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; distance:29; flowbits:set,dce.bind.llsrpc; flowbits:noalert; classtype:protocol-command-decode; sid:5431; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB llsrpc LlsrConnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5470; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 irot IrotRevoke overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,1024,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:5326; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5526; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS llsrpc2 LlsrLicenseRequestW WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.llsrpc2; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5497; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; distance:29; flowbits:set,dce.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:5575; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 llsrpc2 LlsrLicenseRequestW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|D0|LgW|00|R|CE 11 A8 97 08 00|+.|9C|m"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:5505; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContext little endian heap overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6459; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian invalid uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,37,28,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6421; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian invalid second uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6434; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:6415; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW heap overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6450; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6449; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContext little endian heap overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6458; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:6417; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:6416; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object call heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6453; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian invalid second uuid size attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6433; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContext little endian object call heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6466; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian object call invalid uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,37,28,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6428; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContext little endian heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6462; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian invalid uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; byte_test:4,>,37,28,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6423; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call invalid uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6429; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW object call heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6451; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW object call invalid second uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,37,0,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6439; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian object call overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,15056; reference:cve,2005-2119; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-051; classtype:attempted-admin; sid:6418; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContext little endian object call heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6464; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW invalid uuid size attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6422; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW invalid second uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,37,0,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6438; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW invalid uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6425; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContext little endian heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6457; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object call invalid second uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6440; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContext object call heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6465; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContext heap overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6460; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian heap overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6445; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW object call invalid uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6430; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW invalid uuid size attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6424; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW little endian invalid second uuid size attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6437; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian object call invalid second uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6441; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContext object call heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6463; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian object call invalid uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,37,28,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6427; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call invalid second uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,37,0,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6442; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW little endian heap overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6446; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msdtc BuildContextW invalid second uuid size attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,37,0,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6436; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian object call heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6452; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msdtc BuildContextW heap overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6447; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW little endian invalid second uuid size attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6435; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContextW object call heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6454; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW invalid uuid size attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; byte_test:4,>,37,28,relative; reference:bugtraq,17905; reference:cve,2006-1184; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6426; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msdtc BuildContextW little endian heap overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,<,37,0,little,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6448; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msdtc BuildContext heap overflow attempt"; flowbits:isset,dce.bind.msdtc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,<,37,0,relative; reference:bugtraq,17905; reference:cve,2006-0034; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-018; classtype:attempted-admin; sid:6461; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6642; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6531; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6541; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6587; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6631; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6578; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6676; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6612; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6568; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6630; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6592; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6660; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6588; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6577; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6624; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6658; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6545; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6667; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6532; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6579; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6632; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6609; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6529; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6679; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6540; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6641; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6670; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6593; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6539; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6569; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6556; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6656; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6557; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6611; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6650; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6666; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6640; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6598; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6659; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6661; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6544; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6602; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6589; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6553; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6673; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6551; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6669; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6594; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6637; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6601; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6543; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6619; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6548; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6644; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6678; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6571; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6610; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6561; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6547; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6622; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6558; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6652; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6638; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6595; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6639; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6604; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6672; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6572; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6606; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6542; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6643; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6546; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6653; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6559; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6668; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6533; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6528; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6618; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6623; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6535; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6527; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6616; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6523; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6573; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6563; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6628; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6555; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6591; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6536; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6663; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6605; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6617; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6627; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6580; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6654; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6636; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6675; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6597; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6646; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6620; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6603; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6662; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6522; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6526; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6534; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6615; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6570; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6655; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6629; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6549; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6581; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6574; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6645; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6621; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6560; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6608; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6552; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6674; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6565; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6550; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6657; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6649; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6585; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6614; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6525; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6575; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6521; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6590; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6651; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6599; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6538; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6600; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6607; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6566; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6625; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6582; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6648; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6677; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6633; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6596; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6564; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6530; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6554; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6537; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6664; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6520; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSubmitRequest WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6613; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6524; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6567; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6671; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6562; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6665; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6583; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6634; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6647; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSubmitRequest WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6586; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSubmitRequest unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,8192,4,little,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6635; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; distance:29; flowbits:set,dce.bind.rras; flowbits:noalert; classtype:protocol-command-decode; sid:6576; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSubmitRequest WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,8192,4,relative; reference:bugtraq,18325; reference:cve,2006-2370; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6626; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6862; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6894; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6824; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6837; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6780; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6797; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6959; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6966; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6997; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6744; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6716; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6815; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6874; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6883; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6889; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6987; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6969; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6748; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6989; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6915; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6947; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6715; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6851; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6905; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6792; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6858; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6733; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6741; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6921; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6938; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6806; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6842; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6954; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6836; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6774; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6777; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6875; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6996; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6863; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6970; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6880; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6908; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6998; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6895; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6939; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6816; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6798; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6923; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6981; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6747; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6914; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6930; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6949; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6888; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6988; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6817; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6717; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6805; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6948; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6955; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6967; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6872; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6841; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6758; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6760; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6922; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6957; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6746; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6936; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6881; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6968; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6750; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6913; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6990; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6795; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6892; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6737; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6826; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6860; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6743; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6731; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6771; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6893; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6818; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6768; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6801; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6718; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6999; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6840; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6935; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6825; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6940; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6729; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6811; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6857; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:7001; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6778; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6830; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6756; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6781; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6827; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6749; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6719; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6953; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6812; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6912; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6873; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6958; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6838; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6745; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6925; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6920; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6991; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6960; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6972; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6890; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6847; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6924; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6807; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6961; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6831; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6937; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6861; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6870; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6791; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6859; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6772; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6738; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6767; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6755; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6734; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6819; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6728; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6782; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6856; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6868; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6942; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6787; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6911; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6726; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6727; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6855; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6852; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6951; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6867; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6762; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6821; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6754; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6770; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6832; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6904; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6909; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6766; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6934; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6803; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6985; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6813; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6900; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6963; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6926; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6871; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6739; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6796; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6730; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6891; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6820; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6828; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6992; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6878; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6839; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6784; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6788; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6846; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6759; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6886; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6752; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6808; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6722; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6962; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6869; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6721; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6854; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6740; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6725; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6952; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6775; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6919; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6834; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6790; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6910; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6941; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6753; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6975; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6943; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6964; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6802; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6884; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6986; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6829; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6833; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6898; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6903; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6761; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6848; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6866; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6974; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6765; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6899; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6993; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6879; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6793; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6732; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6800; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6977; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6887; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6751; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6845; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6927; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6783; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6928; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6849; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6902; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6769; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6865; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6764; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6983; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6980; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6736; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6918; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6776; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6945; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6944; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6835; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6931; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6850; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6724; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6786; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6978; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX little endian object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6720; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6956; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6757; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6917; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX unicode little endian andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6876; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6794; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6896; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6799; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6907; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6994; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6982; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6822; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences andx callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6984; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode little endian andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6965; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode little endian area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6843; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6882; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences unicode area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6814; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences unicode phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6735; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6844; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6901; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6933; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6804; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6864; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6723; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6763; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6853; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6932; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode little endian andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:7000; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6946; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx object call phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6809; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6785; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6742; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6979; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences unicode andx phonebook mode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6773; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6950; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences little endian object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6929; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences little endian object call area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6823; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX unicode andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6885; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX little endian andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6789; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences WriteAndX andx callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6995; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX andx phonebook mode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,34,68,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6779; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences callback number overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|00 0A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6916; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rras RasRpcSetUserPreferences WriteAndX andx object call callback number overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6976; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rras RasRpcSetUserPreferences WriteAndX unicode little endian andx area/country overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"6|00|a |22 FA CF 11 98 23 00 A0 C9 11 E5 DF|"; within:16; distance:22; content:"|0A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,258,0,little,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6877; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rras RasRpcSetUserPreferences unicode andx area/country overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.rras; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0A|"; within:2; distance:19; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,258,0,relative; reference:bugtraq,18358; reference:cve,2006-2371; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-025; classtype:attempted-admin; sid:6897; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7247; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7299; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7219; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7272; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7212; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7262; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7274; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7279; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7241; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7300; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7222; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7294; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7273; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7218; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7260; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7211; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7259; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7271; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7234; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7242; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7248; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7252; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7223; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7289; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7239; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7225; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7250; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7230; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7288; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7213; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7267; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7258; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7293; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7270; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7236; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7304; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7231; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7251; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7224; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7257; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7246; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7240; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7287; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7237; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7268; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7291; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7296; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7278; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7303; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7216; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7233; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7265; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7295; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7227; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7245; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7220; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7292; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7215; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7277; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7255; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7266; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7238; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7285; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7256; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7226; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7286; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7281; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7214; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7249; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7290; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7217; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7263; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7254; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7301; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7276; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7284; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7298; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7235; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7229; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7243; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7280; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7283; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7253; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7275; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7282; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7269; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7232; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7261; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7221; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetrPathCanonicalize WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7297; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 srvsvc NetrPathCanonicalize overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7244; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 1F|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7302; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 srvsvc NetrPathCanonicalize WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|1F 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,0,little,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7264; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1F|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,0,relative; reference:bugtraq,19409; reference:cve,2006-3439; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-040; classtype:attempted-admin; sid:7228; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8193; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8173; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8344; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8321; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8201; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8100; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8128; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8214; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8153; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8244; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8267; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8298; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8251; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8190; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8297; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8268; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8191; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8280; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8111; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8258; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8324; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8313; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8306; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8181; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8225; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8098; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8106; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8136; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8330; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8118; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8312; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8337; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8202; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8198; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8322; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8172; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8343; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8120; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8167; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8160; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8154; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8250; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8329; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8199; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8346; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8099; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8105; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8175; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8121; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8187; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8143; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8252; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8226; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8137; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8182; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8282; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8097; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8162; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8151; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8200; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8308; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8123; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8292; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8331; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8215; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8139; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8112; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8342; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8270; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8277; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8299; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8169; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8138; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8227; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8096; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8185; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8142; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8289; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8141; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8281; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8229; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8104; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8316; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8195; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8188; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8266; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8307; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8309; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8239; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8122; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8209; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8291; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8220; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8161; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8245; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8339; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8174; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8132; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8320; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8278; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8152; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8216; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8103; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8159; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8332; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8341; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8113; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8110; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8130; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8275; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8314; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8180; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8228; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8315; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8095; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8257; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8327; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8149; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8265; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8230; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8192; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8177; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8140; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8219; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8133; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8273; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8264; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8319; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8318; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8328; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8325; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8255; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8284; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8301; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8148; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8207; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8221; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8102; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8231; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8347; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8246; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8310; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8300; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8114; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8340; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8238; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8176; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8333; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8222; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8276; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8164; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8286; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8217; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8290; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8294; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8131; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8125; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8240; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8269; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8208; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8183; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8256; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX unicode little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8274; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode little endian username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8283; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8147; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8232; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8134; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8179; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8094; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8326; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8186; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8263; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8218; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8233; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8247; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8303; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8115; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8334; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8194; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8241; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8293; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8158; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8296; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8124; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection WriteAndX hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8166; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8237; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode little endian andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8317; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8163; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8242; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8223; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8171; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8109; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8285; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8184; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8311; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8210; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8146; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8126; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8119; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8338; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8271; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode andx username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8323; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8145; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8093; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8127; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8295; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8196; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8248; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX little endian hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8165; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8150; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8288; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8304; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8259; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8135; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8302; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8178; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8211; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8262; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8345; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8203; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8155; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8108; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8261; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8101; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8243; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8170; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection username overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8279; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8116; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8129; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8335; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8272; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8213; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8236; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8144; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8224; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode little endian andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8206; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection unicode little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8254; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8234; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8197; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection WriteAndX unicode andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8205; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX little endian username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8287; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode little endian andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8348; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8156; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection unicode andx username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8336; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8117; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection WriteAndX unicode little endian object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8260; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX andx object call username overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8305; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB webdav DavrCreateConnection little endian andx hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8235; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 webdav DavrCreateConnection unicode hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8168; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX unicode andx object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8249; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 webdav DavrCreateConnection unicode andx hostname overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8212; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX little endian object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,8,little,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8204; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|87|v|CB C8 D3 E6 D2 11 A9|X|00 C0|Oh.|16|"; distance:29; flowbits:set,dce.bind.webdav; flowbits:noalert; classtype:protocol-command-decode; sid:8107; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS webdav DavrCreateConnection WriteAndX object call hostname overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.webdav; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,8,relative; reference:bugtraq,16636; reference:cve,2006-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-008; classtype:attempted-admin; sid:8189; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8563; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8694; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8611; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8577; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8600; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8649; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8607; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8634; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8661; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8668; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8642; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8584; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8684; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8654; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8628; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8594; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 IActivation remoteactivation overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8691; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8554; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8626; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8599; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8676; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8644; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8636; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8561; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8621; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8602; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8656; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation remoteactivation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8696; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8582; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8682; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8575; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8580; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8689; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8638; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8552; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8674; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8646; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8581; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8588; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8650; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8569; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8603; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8630; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8557; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8560; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8658; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8637; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8614; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8578; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8601; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8672; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8595; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8639; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8590; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8632; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8648; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8573; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8678; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8652; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 IActivation remoteactivation overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8692; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8586; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8699; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8686; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8597; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8618; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8616; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8625; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8663; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8565; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8605; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8567; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8559; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8571; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8665; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8576; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8623; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8670; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8697; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8690; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8683; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8667; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8555; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8591; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8627; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8608; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8564; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8566; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8619; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8633; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8655; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8662; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8610; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8641; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8585; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8685; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8669; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8681; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8673; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8574; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8643; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8593; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8688; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8635; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8583; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8660; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8553; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8612; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8675; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8562; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8629; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8609; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8620; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation remoteactivation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8693; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8671; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8558; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8596; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8659; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8572; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8651; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8622; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8677; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8645; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8589; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation remoteactivation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8698; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8604; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8570; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 IActivation remoteactivation little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8695; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 IActivation remoteactivation WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8687; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8613; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8666; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8556; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8647; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8657; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8624; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8598; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8640; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8587; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8592; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8679; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8615; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8617; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8664; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 IActivation remoteactivation unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,52,little,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8653; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation remoteactivation unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8631; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8606; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IActivation remoteactivation WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.IActivation; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,52,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:8680; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8568; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IActivation WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; distance:29; flowbits:set,dce.bind.IActivation; flowbits:noalert; classtype:protocol-command-decode; sid:8579; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8948; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8941; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9012; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9109; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9117; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9110; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9102; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8992; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8976; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9091; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9097; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrJoinDomain2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9127; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9043; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8934; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9115; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9058; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9087; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9040; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9015; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrAddAlternateComputerName little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9022; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8937; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9010; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8990; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8999; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8957; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9075; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9049; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8946; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8978; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8980; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9089; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8960; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9000; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9005; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9095; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8972; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrAddAlternateComputerName little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9026; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9120; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9020; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9104; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9013; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9035; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9064; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8929; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9077; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9066; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8983; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9122; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8968; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8933; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9056; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9105; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9002; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9070; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8943; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9003; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9113; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9018; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9083; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8945; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9024; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8986; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9107; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9093; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8996; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8959; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8930; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9080; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9047; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8962; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9100; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrJoinDomain2 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9124; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9009; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8975; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9041; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8927; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9118; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9051; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9072; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9079; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9085; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8994; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8953; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8988; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9046; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9031; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9054; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8950; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8985; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9082; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9067; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9060; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8940; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9038; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8939; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9111; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8964; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9073; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrJoinDomain2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9126; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8993; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9007; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9044; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9081; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9016; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9063; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9088; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9036; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8936; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8955; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9021; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8949; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8991; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9116; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9074; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8956; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9011; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9059; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9062; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8951; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9069; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9006; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9103; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8977; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8944; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8961; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrJoinDomain2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9128; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9092; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9098; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9034; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8966; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrAddAlternateComputerName object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9025; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9065; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8935; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9114; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9014; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9028; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9076; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8947; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8982; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9057; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8998; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8981; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8979; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8970; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9004; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9001; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9039; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9084; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrAddAlternateComputerName little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9023; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9019; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8932; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8971; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9052; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8997; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8958; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9121; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9096; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9090; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9048; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8984; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8928; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8974; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9123; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|1B 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8987; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9119; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9106; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9055; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8942; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8967; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9078; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9033; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8952; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8995; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9071; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8938; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9112; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9030; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9061; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9037; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9068; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9017; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9086; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 1B|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8931; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8965; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrJoinDomain2 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9050; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9094; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9099; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8963; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8954; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|16 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9108; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9101; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8926; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9042; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrJoinDomain2 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 16|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9045; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8969; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrAddAlternateComputerName andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1B|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:9008; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 16|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9029; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrJoinDomain2 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 16|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9053; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrAddAlternateComputerName little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1B 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:attempted-admin; sid:8989; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrJoinDomain2 WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|16 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9032; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrJoinDomain2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|16 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|5C 00|"; distance:12; isdataat:256,relative; content:!"|00 00|"; within:256; reference:cve,2006-4691; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-070; classtype:attempted-admin; sid:9125; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9255; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9133; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9323; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9286; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9293; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9264; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9160; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9316; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9241; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9233; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9200; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9222; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9207; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9231; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9196; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9148; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9162; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9175; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9307; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9278; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9209; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9184; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9305; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9153; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9276; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9191; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9138; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9268; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9253; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9246; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9251; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9141; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9291; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9318; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9216; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9143; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9303; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9173; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9165; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9220; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9249; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9229; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9205; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9186; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9151; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9238; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9262; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9193; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9312; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9274; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9157; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9258; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9192; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9226; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9236; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9214; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9189; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9311; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9301; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9204; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9245; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9172; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9321; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9179; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9163; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9219; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9256; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9161; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9266; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9284; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9314; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9183; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9272; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9243; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9185; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9298; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9134; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9281; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9270; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9136; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9155; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9170; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9308; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9212; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9177; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9224; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9146; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9194; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9202; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9210; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9234; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9208; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9176; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9240; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9197; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9149; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9223; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9217; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9206; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9187; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9152; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9181; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9254; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9263; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9279; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9168; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9283; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9296; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9317; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9322; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9269; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9248; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9144; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9232; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9230; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9306; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9215; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9252; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9304; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9288; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9159; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9239; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9166; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9320; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9139; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9199; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9190; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9294; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9261; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9285; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9247; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9277; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9150; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9250; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9221; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9142; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9319; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9174; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9259; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9282; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9260; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9290; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9198; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9297; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9237; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9156; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9188; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9310; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9244; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9203; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9211; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9164; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9145; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9213; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9302; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9227; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9313; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9140; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9267; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwGetConnectionInformation WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9289; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9299; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9257; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9275; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9280; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9158; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9287; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9137; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9182; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9242; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9292; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9154; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9295; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwGetConnectionInformation WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9300; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9309; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9167; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9225; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9147; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9171; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9195; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|09 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9178; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|09 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9201; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9218; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwrOpenEnumNdsStubTrees_Any WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,0,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9180; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9315; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9235; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 B0|z|E6|D|98|!5|9D|2|83|O|03 80 01 C0|"; within:16; distance:22; content:"|00 09|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9169; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9273; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwrOpenEnumNdsStubTrees_Any object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 09|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,0,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9135; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS netware_cs NwGetConnectionInformation little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,128,4,little,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9271; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB netware_cs NwGetConnectionInformation WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.netware_cs; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,128,4,relative; reference:cve,2006-4688; reference:cve,2006-4689; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-066; classtype:attempted-admin; sid:9265; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9600; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9543; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; distance:29; flowbits:set,dce.bind.brightstor; flowbits:noalert; classtype:protocol-command-decode; sid:9438; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9497; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9545; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9563; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9459; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9480; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9558; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9608; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9519; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9521; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9513; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9584; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9481; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9475; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9462; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9458; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator RemoteCreateInstance little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9612; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9526; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9592; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9449; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9485; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9556; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9477; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9511; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; distance:29; flowbits:set,dce.bind.brightstor; flowbits:noalert; classtype:protocol-command-decode; sid:9439; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9568; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9605; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9547; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9494; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9561; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9517; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9508; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9575; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9586; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9523; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9503; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9487; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"+|00|"; within:2; distance:19; isdataat:672,relative; content:!"|00|"; within:672; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9442; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator RemoteCreateInstance object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9614; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9468; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance little endian attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9610; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9578; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9535; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9594; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9483; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9470; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9548; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor QSIGetQueuePath little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; within:16; distance:22; content:"+|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:672,relative; content:!"|00|"; within:672; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9443; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9456; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9603; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9469; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9611; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9606; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9471; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9597; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9489; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9537; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9453; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|+"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:672,relative; content:!"|00|"; within:672; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9446; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9570; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9588; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9560; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9553; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9465; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9502; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9539; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9577; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9529; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9507; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9565; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9491; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9515; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9496; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9490; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9473; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9541; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator RemoteCreateInstance object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9616; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9590; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9451; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9572; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9448; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2004-0116; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9601; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9500; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9505; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9524; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance little endian object call attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9618; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator RemoteCreateInstance attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9599; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9464; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9567; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9530; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9551; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9581; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance object call attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9617; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; distance:29; flowbits:set,dce.bind.brightstor; flowbits:noalert; classtype:protocol-command-decode; sid:9440; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9467; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9598; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9583; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9520; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9504; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9460; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9593; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9579; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9486; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9450; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9574; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9542; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9550; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; distance:29; flowbits:set,dce.bind.brightstor; flowbits:noalert; classtype:protocol-command-decode; sid:9437; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9476; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9564; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9493; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9532; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9512; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9498; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9499; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9544; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9585; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9522; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9609; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9509; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9615; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9518; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9576; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9484; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9457; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9534; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9595; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9488; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator RemoteCreateInstance little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9613; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9555; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9478; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9557; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9482; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9562; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9569; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9604; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9510; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9546; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9525; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"+|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:672,relative; content:!"|00|"; within:672; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9445; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9571; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9454; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9536; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9463; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9528; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9538; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9580; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9552; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9466; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9587; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9455; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9602; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9495; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|+"; within:2; distance:19; isdataat:672,relative; content:!"|00|"; within:672; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9444; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9516; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9607; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9554; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9472; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9447; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9573; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9452; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9461; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 ISystemActivator RemoteCreateInstance attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9596; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9591; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9559; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9501; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator RemoteCreateInstance little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9527; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9582; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9514; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9589; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 04|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9566; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9506; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator RemoteCreateInstance WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9533; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator RemoteCreateInstance WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9531; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9492; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9479; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9540; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.ISystemActivator; flowbits:noalert; classtype:protocol-command-decode; sid:9474; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator RemoteCreateInstance unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:protocol-command-decode; sid:9549; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9683; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc GetGroupStatus overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00|%"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,4096,0,relative; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9808; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9697; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9688; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9765; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9713; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9710; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9722; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:9763; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msqueue function 1 little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9782; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9693; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9770; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9739; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9707; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9704; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9717; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9779; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9755; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 1 little endian overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9781; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9747; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9788; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9686; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9737; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 4 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9768; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9678; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9702; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9730; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9745; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9699; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9727; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9719; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msqueue function 1 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9777; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9724; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9681; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:9760; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9714; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator CoGetInstanceFromFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9753; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9744; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGroupStatus object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|%"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,4096,0,relative; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9811; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9677; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9721; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9733; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9758; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9740; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9708; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9751; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9712; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9692; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; distance:29; flowbits:set,dce.bind.brightstor-arc; flowbits:noalert; classtype:protocol-command-decode; sid:9803; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 4 object call overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9767; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9689; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9742; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 1 object call overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9784; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9675; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9728; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9696; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9706; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9701; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; distance:29; flowbits:set,dce.bind.brightstor-arc; flowbits:noalert; classtype:protocol-command-decode; sid:9805; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 1 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9775; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9756; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9735; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9690; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9749; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9736; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:9762; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9705; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9694; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9731; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 1 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9778; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9716; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9725; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9748; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGroupStatus little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"%|00|"; within:2; distance:19; byte_test:4,>,4096,0,little,relative; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9807; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9684; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGroupStatus little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"%|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,4096,0,little,relative; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9810; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9698; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9711; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9703; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; distance:29; flowbits:set,dce.bind.brightstor-arc; flowbits:noalert; classtype:protocol-command-decode; sid:9802; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 4 little endian object call overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9771; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGroupStatus overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|%"; within:2; distance:19; byte_test:4,>,4096,0,relative; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9809; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9726; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 1 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9787; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile object call attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9754; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9718; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msqueue function 1 overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9776; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9682; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 msqueue function 1 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9780; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9746; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 1 little endian object call overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9789; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9687; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9676; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9729; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9752; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9732; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator CoGetInstanceFromFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9759; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9700; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9679; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9741; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9709; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9785; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9685; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue function 4 overflow attempt"; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; byte_test:4,>,128,8,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9766; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9715; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP msqueue little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; distance:29; flowbits:set,dce.bind.msqueue; flowbits:noalert; classtype:protocol-command-decode; sid:9761; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT msqueue function 1 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9786; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 ISystemActivator CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9720; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; distance:29; flowbits:set,dce.bind.brightstor-arc; flowbits:noalert; classtype:protocol-command-decode; sid:9804; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9680; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9743; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9695; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 msqueue function 1 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,20,relative; classtype:attempted-admin; sid:9783; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.msqueue; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,little,relative; classtype:attempted-admin; sid:9774; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT ISystemActivator CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9738; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9674; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile little endian attempt"; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9750; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9723; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB ISystemActivator CoGetInstanceFromFile little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9734; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9757; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS ISystemActivator CoGetInstanceFromFile unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.ISystemActivator; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,little; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:9691; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 msqueue function 4 little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,128,8,little,relative; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:9764; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9968; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9961; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9985; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc2 ASDBLoginToComputer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; within:16; distance:22; content:"|00|u"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,119,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10052; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9859; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9873; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9930; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9935; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9955; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9904; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9867; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ClientDBMiniAgentClose attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 BF|"; within:2; distance:19; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10026; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9993; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX unicode LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9924; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9887; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9889; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10048; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9882; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9896; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10006; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10003; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9998; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9932; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9906; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9957; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9982; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9963; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9875; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|u"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,119,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10054; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest unicode LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9926; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9938; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10046; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor QSIGetQueuePath_Function_45 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; within:16; distance:22; content:"-|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060330.pdf; classtype:protocol-command-decode; sid:10033; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9991; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9868; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath_Function_45 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|-"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060330.pdf; classtype:protocol-command-decode; sid:10035; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ClientDBMiniAgentClose little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|BF 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10029; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"u|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10060; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9959; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10001; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9940; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor ASRemotePFC little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"/|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,624,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10041; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9949; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9915; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9880; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor ASRemotePFC little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; within:16; distance:22; content:"/|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,624,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10038; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9894; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9908; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc2 ASDBLoginToComputer little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; within:16; distance:22; content:"u|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10058; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9990; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9939; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9921; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9951; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9980; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9989; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath_Function_45 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"-|00|"; within:2; distance:19; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060330.pdf; classtype:protocol-command-decode; sid:10031; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9965; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9877; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ReserveGroup little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"&|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10023; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9996; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9861; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9900; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor ASRemotePFC object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|/"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,624,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10040; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ClientDBMiniAgentClose object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 BF|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10028; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9975; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10000; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10007; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ReserveGroup little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"&|00|"; within:2; distance:19; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10021; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9912; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9854; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9885; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9945; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9850; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9937; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc2 ASDBLoginToComputer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; within:16; distance:22; content:"|00|u"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,119,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10056; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10043; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9923; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9986; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9857; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9902; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9994; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9870; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9879; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9863; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9967; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9916; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9977; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9910; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10005; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9891; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9970; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9883; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest unicode LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9919; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9898; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9864; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9947; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9953; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9929; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9941; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9954; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10044; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9881; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9928; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9858; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"u|00|"; within:2; distance:19; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10053; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9972; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9872; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10047; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9984; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9905; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9851; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9933; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc ReserveGroup little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"&|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10020; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9983; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9960; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9979; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9866; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9871; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9888; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9927; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9852; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9943; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|u"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,119,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10061; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9893; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9948; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10004; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9962; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9886; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10042; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor ASRemotePFC little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"/|00|"; within:2; distance:19; byte_test:4,>,624,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10037; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ReserveGroup attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|&"; within:2; distance:19; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10019; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9999; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"u|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10055; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9956; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9874; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9969; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9895; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9981; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9992; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9907; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10045; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX unicode little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9997; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9862; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9918; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9958; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9876; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest unicode andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10002; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9903; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ClientDBMiniAgentClose little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|BF 00|"; within:2; distance:19; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10027; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10009; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9884; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9913; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9855; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9899; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9892; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest little endian object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9950; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|u"; within:2; distance:19; byte_test:4,>,119,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10059; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9942; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9936; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9920; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9853; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath_Function_45 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"-|00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060330.pdf; classtype:protocol-command-decode; sid:10034; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9964; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9909; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9901; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9988; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9860; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9987; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9869; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest unicode andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9974; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9897; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9911; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:10008; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9890; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9917; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest unicode little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9978; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9865; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9946; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor ASRemotePFC overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|k|24 DC|zz|CE 11 9F 88 00 80|_|E4|88"; within:16; distance:22; content:"|00|/"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,624,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10039; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9934; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9944; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 tapisrv ClientRequest WriteAndX LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9925; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest little endian andx LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9966; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 tapisrv ClientRequest WriteAndX little endian LSetAppPriority overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9922; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB tapisrv ClientRequest WriteAndX unicode object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9952; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6504 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 ASDBLoginToComputer little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"u|00|"; within:2; distance:19; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10057; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT brightstor QSIGetQueuePath_Function_45 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|-"; within:2; distance:19; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060330.pdf; classtype:protocol-command-decode; sid:10032; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc2 little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; distance:29; flowbits:set,dce.bind.brightstor-arc2; flowbits:noalert; classtype:protocol-command-decode; sid:10049; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc ReserveGroup object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00|&"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10022; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest andx LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9976; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc ClientDBMiniAgentClose attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00 BF|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10025; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc2 ASDBLoginToComputer little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; within:16; distance:22; content:"u|00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,119,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10051; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX little endian LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9931; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv ClientRequest WriteAndX little endian andx object call LSetAppPriority overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.tapisrv; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,little,relative; reference:bugtraq,14518; reference:cve,2005-0058; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-040; classtype:attempted-admin; sid:9995; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9878; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS tapisrv unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" e_/F|CA|g|10 B3 19 00 DD 01 06|b|DA|"; distance:29; flowbits:set,dce.bind.tapisrv; flowbits:noalert; classtype:protocol-command-decode; sid:9856; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00 CF|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,1024,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10122; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 CF|"; within:2; distance:19; byte_test:4,>,1024,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10120; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|CF 00|"; within:2; distance:19; byte_test:4,>,1024,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10118; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc GetGCBHandleFromGroupName object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 CF|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,1024,0,relative; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10119; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc GetGCBHandleFromGroupName little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|CF 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,1024,0,little,relative; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10121; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect; flowbits:noalert; classtype:protocol-command-decode; sid:10201; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10213; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect; flowbits:noalert; classtype:protocol-command-decode; sid:10199; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10203; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10205; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10207; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10210; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10209; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect; flowbits:noalert; classtype:protocol-command-decode; sid:10200; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetRealTimeScanConfigInfo little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10204; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect; flowbits:noalert; classtype:protocol-command-decode; sid:10198; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect COMN_NetTestConnection object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10212; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect COMN_NetTestConnection little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10211; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetRealTimeScanConfigInfo object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10206; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10309; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10233; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10220; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10300; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10238; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10344; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10327; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10334; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10229; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10337; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10287; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10243; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10377; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10375; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10291; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10381; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10266; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10255; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10319; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10362; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10279; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10273; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10222; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10346; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10268; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10248; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10282; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10235; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10251; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10302; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10317; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10356; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10314; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10241; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10383; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10297; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10369; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10257; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10379; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10264; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10304; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10364; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10298; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10341; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10246; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10358; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10371; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10353; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10305; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10323; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10234; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10224; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10312; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10295; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10330; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10333; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10351; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10365; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl ChangeServiceConfig2A object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10385; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10270; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10263; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10328; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10244; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10274; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10254; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10267; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10339; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10226; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10349; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10281; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10219; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10321; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10307; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10288; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10343; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10311; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10236; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10231; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10360; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10259; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10367; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10261; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10253; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10276; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10242; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10373; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10374; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10376; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10380; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10368; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10256; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10345; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10363; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10265; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10292; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10275; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10318; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10301; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10329; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10308; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10221; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10326; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10240; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10336; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10284; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10232; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10342; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10382; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10355; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10350; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10217; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10290; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10299; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10269; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10347; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10249; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10278; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10272; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10335; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10303; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10228; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10316; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10324; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10250; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10283; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10223; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10378; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10296; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10225; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10352; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10252; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10370; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10366; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10271; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10262; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10384; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10258; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10315; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10354; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10247; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10357; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10322; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10325; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10237; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10280; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10306; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10332; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10294; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10361; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10260; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10310; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT svcctl ChangeServiceConfig2A little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10386; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10372; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10286; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10338; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl ChangeServiceConfig2A WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 24|"; within:2; distance:19; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10359; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10245; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10277; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10289; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 00|"; within:2; distance:19; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10313; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|24 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10348; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10218; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|24 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,little,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10331; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 svcctl ChangeServiceConfig2A unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10293; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10239; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 svcctl ChangeServiceConfig2A unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; within:16; distance:22; content:"|00 24|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10340; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl ChangeServiceConfig2A object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.svcctl; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 24|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,24,relative; content:"|00 00 00 00|"; within:4; classtype:protocol-command-decode; sid:10320; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS svcctl WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10230; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB svcctl unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|81 BB|z6D|98 F1|5|AD|2|98 F0|8|00 10 03|"; distance:29; flowbits:set,dce.bind.svcctl; flowbits:noalert; reference:url,www.hsc.fr/ressources/articles/win_net_srv/msrpc_svcctl.html; classtype:protocol-command-decode; sid:10227; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10659; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 dns R_DnssrvUpdateRecord2 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10550; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10646; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 17 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 11|"; within:2; distance:19; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10498; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10515; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10688; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10614; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 dns R_DnssrvUpdateRecord2 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10573; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10601; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10542; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 16 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|10 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10496; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10644; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10520; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10690; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10640; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10649; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10686; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 16 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 10|"; within:2; distance:19; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10495; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10589; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10608; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10617; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10521; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10566; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10622; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10536; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 17 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 11|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10502; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10519; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10652; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10514; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10624; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10555; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10661; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 16 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|10 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10493; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10638; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 15 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|0F 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10488; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 17 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|11 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10500; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 15 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0F|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10491; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10645; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10518; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 17 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|11 00|"; within:2; distance:19; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10499; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10545; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10587; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10523; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10586; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10537; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10516; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10574; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10568; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10581; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 15 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10487; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10530; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10664; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10679; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 16 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 10|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10497; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10572; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10522; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10592; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10672; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10627; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10609; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10531; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 17 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|11 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10503; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10529; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10580; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10517; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10653; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 16 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|10 00|"; within:2; distance:19; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10494; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvUpdateRecord2 WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10602; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvUpdateRecord2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 07|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10558; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvUpdateRecord2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10632; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvUpdateRecord2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|07 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10560; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 17 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00 11|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10501; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10577; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10658; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvUpdateRecord2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10630; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10552; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 16 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00 10|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10492; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT v4 brightstor-arc function 15 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|F0|=|B9|b|02 8B CE 11 87|l|00 80|_|84 28|7"; within:16; distance:22; content:"|00 0F|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10489; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6502,6503] (msg:"DELETED NETBIOS DCERPC DIRECT brightstor-arc function 15 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0F 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:bugtraq,22994; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10490; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvUpdateRecord2 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10669; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10919; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10774; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10949; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10787; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10923; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10826; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10911; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10898; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10789; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10764; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10847; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10699; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10901; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10854; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10877; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10776; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10717; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10950; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvEnumRecords little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10895; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10828; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvEnumRecords overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10815; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10756; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10741; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10747; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10786; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10726; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvEnumRecords object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10859; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10936; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10878; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10750; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10926; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10882; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10866; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10938; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10729; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10876; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10765; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10775; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10702; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10899; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10812; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10788; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10728; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10884; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10887; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10874; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10864; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10880; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10763; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10909; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10715; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10827; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10777; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns R_DnssrvEnumRecords little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10823; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10738; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10897; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10714; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10740; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 dns R_DnssrvEnumRecords overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10931; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10851; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10837; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10951; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10829; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10739; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT dns little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10716; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10748; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10762; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10948; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 dns R_DnssrvEnumRecords little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10853; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10952; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10727; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10879; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x01|\x00\x03)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10925; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x01\x00|\x03\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10825; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10839; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10708; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 dns R_DnssrvEnumRecords unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x01|\x00\x03)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10946; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns R_DnssrvEnumRecords WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x01\x00|\x03\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10810; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS dns unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10700; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11169; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11083; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11152; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11112; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11054; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11149; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11094; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11122; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11011; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11144; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11018; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11052; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11008; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11029; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11092; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11062; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11106; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11174; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11079; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11138; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11036; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11045; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11131; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11034; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11157; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11167; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11057; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11089; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11105; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11081; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11096; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11132; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11075; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11108; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11064; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11016; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11047; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 rpcss _RemoteGetClassObject attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11170; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11087; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11103; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11050; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11055; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11165; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11161; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11037; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11099; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11156; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11116; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11111; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11129; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11041; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11049; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11124; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11140; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11025; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11097; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11065; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11009; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11019; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11039; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11022; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11071; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11143; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11014; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11136; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11114; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11035; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11027; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11154; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11085; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11030; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11120; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11163; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11127; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11067; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11006; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11172; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11043; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11145; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11090; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11017; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11053; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11032; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11024; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11077; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11015; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11051; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11061; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11109; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11146; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11046; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11023; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11168; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11069; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11173; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11139; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11078; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11005; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11084; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11123; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11153; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11093; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11012; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11133; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11100; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11148; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11159; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11007; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11063; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11020; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11130; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11040; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11048; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11113; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11033; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11158; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11135; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11082; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11058; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11151; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11010; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11095; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11118; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11125; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11042; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11026; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11119; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11066; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11110; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11128; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11141; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11098; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11060; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11031; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11134; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11070; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11013; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11137; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11080; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11104; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11166; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11162; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11056; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11088; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11150; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11068; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 rpcss _RemoteGetClassObject andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11126; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|03 00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11091; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11028; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11117; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11171; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11107; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11044; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11021; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11142; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 rpcss _RemoteGetClassObject WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:22; content:"|00 03|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11076; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11101; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 03|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11147; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11102; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11059; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP rpcss bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11072; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11115; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS rpcss _RemoteGetClassObject WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11121; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|03 00|"; within:2; distance:19; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11086; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11160; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; distance:29; flowbits:set,dce.bind.rpcss; flowbits:noalert; classtype:protocol-command-decode; sid:11038; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 03|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11155; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB rpcss _RemoteGetClassObject little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.rpcss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|03 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; reference:cve,2003-0605; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:11164; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11427; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11549; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11458; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11383; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11375; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11332; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11500; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11615; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11326; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11531; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11595; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11552; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11559; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11475; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11493; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11400; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11523; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11591; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11379; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11436; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11386; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11364; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11358; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11517; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11576; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11468; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11561; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11396; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11356; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11403; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11589; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11482; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11508; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11461; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11473; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11420; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11369; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11390; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11603; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11547; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11381; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11360; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11366; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11593; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11429; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11502; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11445; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11553; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11571; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11597; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11585; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11574; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11541; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11470; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11525; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11372; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11454; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11587; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11405; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11534; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11384; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11466; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11528; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11488; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11334; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11344; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11581; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc bind attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11434; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11350; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11519; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11413; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11342; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11570; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11485; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11336; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11496; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11343; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11362; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11478; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11471; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11601; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11546; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11447; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11535; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11452; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11611; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11513; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11370; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11608; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11422; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11393; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11451; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11486; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11415; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11505; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11428; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11465; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11391; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11501; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11510; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11349; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11565; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11476; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11457; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11432; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11579; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11568; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11481; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11607; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11406; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11586; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11538; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11521; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11495; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11354; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11417; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11331; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11490; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11563; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11605; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11341; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11329; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11430; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11424; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11483; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11544; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11515; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11389; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11550; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11459; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11449; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11440; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11410; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11557; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11512; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11408; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11577; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount little endian andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11584; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11398; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11376; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11394; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11412; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11345; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11351; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11592; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11404; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11387; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11540; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11397; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11524; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11562; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11573; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11333; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11569; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11580; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11439; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11518; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11489; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11335; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11463; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11460; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11507; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11378; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11554; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11382; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11374; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11327; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11539; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11338; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11419; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11492; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11401; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11596; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11472; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11365; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11533; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11526; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11613; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11542; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11598; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11560; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11572; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11437; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11353; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11414; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11551; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11509; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11347; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11469; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11487; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11567; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11582; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11444; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11435; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11380; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11556; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11614; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11503; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc alter context attempt"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11426; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11367; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11385; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11602; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11609; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11498; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11361; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11421; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11392; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11450; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11455; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11514; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11555; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11588; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11504; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc unicode little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11348; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11411; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode little endian object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11511; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11537; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11530; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11566; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11527; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11520; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11467; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11480; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11388; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11407; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11337; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11529; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11352; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11612; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11606; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11479; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11328; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11340; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11548; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11363; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11499; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc little endian alter context attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11423; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc little endian alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11346; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11368; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11536; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11373; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11464; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11600; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11545; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11453; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11446; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11506; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11543; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11462; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11425; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11558; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11441; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT lsarpc alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11431; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11516; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11339; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11456; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11359; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11402; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11399; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11377; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount unicode andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11532; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11575; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11578; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 lsarpc LsarAddPrivilegesToAccount WriteAndX unicode little endian andx overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11522; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11357; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode little endian andx object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11583; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc little endian andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11418; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX unicode andx bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11409; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11564; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX little endian andx alter context attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11395; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP lsarpc little endian bind attempt"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11433; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11494; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 lsarpc LsarAddPrivilegesToAccount overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 13|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11599; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11497; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11438; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11477; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11491; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11416; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11604; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11355; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11594; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11330; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB lsarpc WriteAndX little endian bind attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; distance:29; flowbits:set,dce.bind.lsarpc; flowbits:noalert; classtype:protocol-command-decode; sid:11371; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11448; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS lsarpc LsarAddPrivilegesToAccount unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11474; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount object call overflow attempt"; flowbits:isset,dce.bind.lsarpc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11610; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xW4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11590; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB lsarpc LsarAddPrivilegesToAccount little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.lsarpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; reference:cve,2007-2446; classtype:attempted-admin; sid:11484; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11798; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11763; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11786; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11707; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11754; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11730; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11791; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11692; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11742; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11699; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11753; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11732; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11704; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11772; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11711; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11789; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11722; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11721; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11814; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11761; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11797; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11709; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11784; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11696; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11747; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11736; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11689; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11694; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11744; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11805; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11770; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11739; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11728; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11810; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11779; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11713; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11698; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11783; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11759; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11794; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11760; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11767; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11750; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11748; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11715; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11777; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11735; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11811; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11725; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11769; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11762; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11756; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11700; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11752; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11703; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11726; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11793; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11781; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11765; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11723; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11775; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11717; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11815; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11718; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11741; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11801; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11808; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11691; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11743; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11705; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11806; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11719; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11729; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11710; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11720; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11712; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11788; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11706; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11790; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11800; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11766; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11731; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11688; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11738; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11693; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11745; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11727; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11813; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11778; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11708; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11804; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11773; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11787; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11799; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11755; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11796; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11737; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11764; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11746; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11734; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11749; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11714; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11740; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11724; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11771; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11812; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11776; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11757; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11802; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11803; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11701; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11785; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11758; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11782; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11695; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11733; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 nddeapi NDdeSetTrustedShareW WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11768; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11716; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11807; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11697; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11809; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11751; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11702; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 nddeapi NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11774; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11792; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi NDdeSetTrustedShareW WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11780; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi NDdeSetTrustedShareW WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:11795; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB nddeapi WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:11690; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11879; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11869; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11916; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11862; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11848; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11932; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11926; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11893; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11863; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11898; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11877; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11891; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11914; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11904; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11888; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11902; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11853; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11934; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11865; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11928; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11872; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11921; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11903; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11885; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11911; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11875; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11856; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11868; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11844; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11908; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11935; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11883; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11846; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11894; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11858; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11873; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11896; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11923; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11882; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11901; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11851; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11918; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11889; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11906; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11930; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11859; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11931; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11907; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11927; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11864; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11915; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11925; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11887; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11847; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11861; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11880; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11933; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11854; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11866; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11929; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11871; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11937; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11878; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11913; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11899; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11849; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11892; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11905; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11870; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11912; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11922; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11850; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11860; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11938; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11920; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11897; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11876; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11890; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11886; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11855; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11919; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11852; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11881; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11895; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11910; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 05|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11909; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11900; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss AddPrinter unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11867; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11924; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 05|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11936; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11884; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|05 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11845; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss AddPrinter unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 05|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,256,28,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11874; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss AddPrinter little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|05 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11857; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss AddPrinter unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|05 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,256,28,little,relative; reference:bugtraq,14514; reference:cve,2005-1984; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-043; classtype:attempted-admin; sid:11917; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT v4 ca-alert function 16 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; within:16; distance:22; content:"|10 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12101; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 23 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|17 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12110; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 16 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|10 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12105; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 23 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|17 00|"; within:2; distance:19; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12107; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 23 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 17|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,200,12,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12111; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 16 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 10|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,200,12,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12104; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 23 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 17|"; within:2; distance:19; byte_test:4,>,200,12,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12109; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 16 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 10|"; within:2; distance:19; byte_test:4,>,200,12,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12102; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT v4 ca-alert function 23 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; within:16; distance:22; content:"|17 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12108; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT v4 ca-alert function 23 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; within:16; distance:22; content:"|00 17|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,200,12,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12106; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert function 16 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.ca-alert; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|10 00|"; within:2; distance:19; byte_test:4,>,200,12,little,relative; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12103; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12334; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12309; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12320; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12323; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12310; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect-earthagent; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12322; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12330; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12325; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12349; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12350; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 trend-serverprotect-earthagent RPCFN_CopyAUSrc little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12318; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect-earthagent; flowbits:noalert; classtype:protocol-command-decode; sid:12313; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12312; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12327; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12338; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12351; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect-earthagent; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12319; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12329; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12344; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12348; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect-earthagent; flowbits:noalert; classtype:protocol-command-decode; sid:12316; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12311; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12333; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12346; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect-earthagent; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12321; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12340; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12308; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12324; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12331; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect-earthagent; flowbits:noalert; classtype:protocol-command-decode; sid:12314; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12342; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12339; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|88 88 28|%[|BD D1 11 9D|S|00 80 C8 3A 5C|,"; distance:29; flowbits:set,dce.bind.trend-serverprotect-earthagent; flowbits:noalert; classtype:protocol-command-decode; sid:12315; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12352; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12328; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12343; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12336; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12337; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"DELETED NETBIOS DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.trend-serverprotect; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12345; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; distance:29; flowbits:set,dce.bind.ca-alert; reference:cve,2007-4620; classtype:protocol-command-decode; sid:12356; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; distance:29; flowbits:set,dce.bind.ca-alert; reference:cve,2007-4620; classtype:protocol-command-decode; sid:12354; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; distance:29; flowbits:set,dce.bind.ca-alert; reference:cve,2007-4620; classtype:protocol-command-decode; sid:12353; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS DCERPC DIRECT ca-alert bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|90 28|t=|7C|9|CF 11 9B F1 00 80|_|88 CB|r"; distance:29; flowbits:set,dce.bind.ca-alert; reference:cve,2007-4620; classtype:protocol-command-decode; sid:12355; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12543; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12565; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12516; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12541; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12555; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12557; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12560; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12567; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12537; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12572; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12577; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12550; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12584; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12522; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12509; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12525; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12492; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12511; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12490; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12499; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12528; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12563; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12518; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12539; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12579; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12559; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12494; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12512; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12501; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12552; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12569; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12562; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12491; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12504; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12496; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12582; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrWkstaGetInfo little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12589; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12573; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12564; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12529; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12514; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12533; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12554; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12531; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12587; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12545; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12556; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12506; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12517; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12520; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12580; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12503; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12523; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12575; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12535; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12568; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12558; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12585; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12527; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12521; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12526; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12493; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12578; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12510; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12544; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrWkstaGetInfo object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12590; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12519; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12538; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12549; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12542; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12571; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12583; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12508; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12566; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12574; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12513; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12540; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12498; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12547; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12497; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12534; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12551; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12505; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12515; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12530; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12500; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12548; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12561; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12507; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12524; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12576; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12553; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12581; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12588; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12532; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12502; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS wkssvc NetrWkstaGetInfo WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|02 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12536; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT wkssvc NetrWkstaGetInfo little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12586; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 wkssvc NetrWkstaGetInfo unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|00 02|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12495; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 wkssvc NetrWkstaGetInfo WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; content:"|02 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12546; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB wkssvc NetrWkstaGetInfo unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.wkssvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 02|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,little,relative; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12570; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12882; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12875; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12821; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; distance:29; flowbits:set,dce.bind.brightstor-arc3; flowbits:noalert; classtype:protocol-command-decode; sid:12909; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12900; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12862; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 10|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12925; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12851; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12888; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|12 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12933; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12911; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12835; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12842; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12894; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 0D|"; within:2; distance:19; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,4999,0,relative; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12942; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12816; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12873; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12809; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12828; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; distance:29; flowbits:set,dce.bind.brightstor-arc3; flowbits:noalert; classtype:protocol-command-decode; sid:12907; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12836; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12844; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12818; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12852; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12811; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12918; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12860; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 12 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12917; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12892; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12879; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12893; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12839; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12825; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|12 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12929; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12855; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12886; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12830; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12819; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|13 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12939; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12813; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12891; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12856; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12847; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12826; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 13|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12936; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 mqqm QMCreateObjectInternal overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 06|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12980; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12898; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12869; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12823; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12870; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12920; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12867; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12902; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|10 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12923; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12877; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 18 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|00 12|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12930; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12843; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12858; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12849; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 04|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12914; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12815; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc2 CA call 269 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|90 18|kP|C8 14 D1 11 BB C3 00 80|_|A6 96|."; within:16; distance:22; content:"|0D 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,4999,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12941; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12896; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|06 00|"; within:2; distance:19; byte_test:4,=,1,0,little,relative; byte_test:4,>,142,4,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12981; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12881; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12913; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12833; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12885; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 19 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|13 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12935; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 12|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12932; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12841; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12845; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12919; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12883; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0D 01|"; within:2; distance:19; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,4999,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12943; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12865; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12874; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12871; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12834; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12897; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12901; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12850; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12829; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 10|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12927; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12820; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12837; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12889; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12817; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12853; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|13 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12937; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12810; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12895; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12861; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 16 attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|00 10|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12924; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12872; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12863; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; distance:29; flowbits:set,dce.bind.brightstor-arc3; flowbits:noalert; classtype:protocol-command-decode; sid:12908; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0D 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,4999,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12945; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12890; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc2; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 0D|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,4999,0,relative; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12944; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12812; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12846; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12857; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12827; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12921; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12832; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12868; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; distance:29; flowbits:set,dce.bind.brightstor-arc3; flowbits:noalert; classtype:protocol-command-decode; sid:12906; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|10 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12926; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 06|"; within:2; distance:19; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12982; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|01 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12854; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12824; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12887; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12838; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 mqqm QMCreateObjectInternal little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|06 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,0,little,relative; byte_test:4,>,142,4,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:12979; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12878; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|04 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12915; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12859; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12864; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12814; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12903; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12899; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12880; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 brightstor-arc3 CA opcode 4 little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0|^C|88 1A 86 CE 11 B8|k|00 00 1B|'|F6|V"; within:16; distance:22; content:"|04 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12912; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12884; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12866; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12840; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|01 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12876; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|12 00|"; within:2; distance:19; byte_test:4,>,256,0,little,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12931; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12831; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss OpenPrinter WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 01|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12822; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.brightstor-arc3; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 13|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,0,relative; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12938; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss OpenPrinter andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 01|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,458,4,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12848; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13020; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12991; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13069; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity unicode andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13038; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13043; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13003; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13027; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13091; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13086; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13059; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13000; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX little endian integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12993; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13067; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13009; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13064; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13018; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13071; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13011; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13031; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13032; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13045; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity unicode little endian integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12986; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13076; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13016; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13088; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13029; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13050; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX little endian andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13033; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13062; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13047; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13013; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13055; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13082; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13023; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12998; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13095; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13078; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13081; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13096; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity unicode little endian integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12987; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13010; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13057; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13049; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13036; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13035; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13015; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13005; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity unicode integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12996; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13025; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13084; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13026; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13072; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13093; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity unicode integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12990; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13040; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13077; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13056; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13001; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13028; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12994; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13090; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13066; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13014; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13061; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13068; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode little endian integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12999; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13039; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13030; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13017; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13074; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13042; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12997; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13070; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13089; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13051; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13006; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 srvsvc NetSetFileSecurity integer overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13080; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13058; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12992; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13008; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 srvsvc NetSetFileSecurity integer overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13087; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity unicode andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13044; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13021; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13019; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13053; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13052; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13024; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13094; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12995; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13073; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity WriteAndX unicode little endian integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12988; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13004; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13083; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13034; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB v4 srvsvc NetSetFileSecurity little endian andx integer overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13046; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13097; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13079; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13007; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13065; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13022; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13060; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13075; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13092; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13002; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13085; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13054; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12989; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13048; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13012; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity WriteAndX little endian andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13041; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13063; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 srvsvc NetSetFileSecurity little endian andx integer overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13037; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13196; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13187; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13190; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13178; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13171; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13164; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 mqqm QMObjectPathToObjectFormat overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,142,0,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13214; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13199; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13180; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13183; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13189; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13206; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13176; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13192; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13169; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13175; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13201; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13195; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13184; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13167; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13197; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13203; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13173; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13205; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13172; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13179; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13191; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; byte_test:4,>,142,0,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13212; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13181; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13186; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13165; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13200; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13170; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13207; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,142,0,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13215; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13177; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13193; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 mqqm QMObjectPathToObjectFormat little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|0C 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,142,0,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:13213; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13198; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13163; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13182; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13188; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13202; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13185; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13208; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13204; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB spoolss EnumPrinters WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13174; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,little,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13168; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13194; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13166; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 spoolss EnumPrinters unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,256,8,relative; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:13209; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13401; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13383; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13377; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13391; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13403; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13375; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13381; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13370; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13405; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13387; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13407; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13412; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13374; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13396; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13398; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13414; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13372; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13409; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13400; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13385; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13380; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13394; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13410; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13399; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13368; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13369; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13392; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13378; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13386; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13384; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData unicode little endian andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13397; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13379; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13382; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13389; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13376; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13402; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData unicode andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13395; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode little endian andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13413; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13388; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13404; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode little endian object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13390; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData unicode andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13411; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData unicode attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13371; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX andx object call attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 1A|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13408; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData unicode little endian attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|1A 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13373; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS spoolss GetPrinterData WriteAndX unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.bind.spoolss; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; reference:bugtraq,21401; reference:cve,2006-5854; classtype:protocol-command-decode; sid:13406; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS v4 spoolss GetPrinterData WriteAndX andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:22; content:"|00 1A|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,>,65536,0,relative; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13393; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS nddeapi little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; distance:29; flowbits:set,dce.bind.nddeapi; flowbits:noalert; classtype:protocol-command-decode; sid:2928; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 06|"; within:2; distance:19; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14622; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal little endian object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|06 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,0,little,relative; byte_test:4,>,142,4,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14624; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 06|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14627; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 06|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14626; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,142,0,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14620; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,142,0,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14618; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|06 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,=,1,0,little,relative; byte_test:4,>,142,4,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14625; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 mqqm QMObjectPathToObjectFormat overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 0C|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,>,142,0,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14616; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat little endian overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; byte_test:4,>,142,0,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14617; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 mqqm QMCreateObjectInternal overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:22; content:"|00 06|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; byte_test:4,=,1,0,relative; byte_test:4,>,142,4,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14623; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat little endian object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|0C 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,142,0,little,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14621; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat object call overflow attempt"; flowbits:isset,dce.bind.mqqm; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 0C|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,142,0,relative; reference:cve,2007-3039; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-065; classtype:attempted-admin; sid:14619; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB netdfs unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0|B|C7|O|10|J|CF 11 82|s|00 AA 00|J|E6|s"; distance:29; flowbits:set,dce.bind.netdfs; flowbits:noalert; classtype:protocol-command-decode; sid:14899; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS SMB netdfs unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|E0|B|C7|O|10|J|CF 11 82|s|00 AA 00|J|E6|s"; distance:29; flowbits:set,dce.bind.netdfs; flowbits:noalert; classtype:protocol-command-decode; sid:14987; rev:3;) # alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"DELETED SMTP Adobe PDF JBIG2 remote code execution attempt"; flow:to_client, established; content:"JBIG2Decode"; nocase; content:"stream|0D 0A|"; distance:0; byte_test:1, &, 64, 4, relative; byte_test:1, <, 32, 5, relative; byte_test:4, >, 35256, 6, relative,little; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15356; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13110; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13117; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc NetSetFileSecurity object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13157; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13155; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13125; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13105; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13138; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13131; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13148; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13141; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13150; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13103; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13115; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity WriteAndX unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13123; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13098; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13143; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13135; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13108; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity WriteAndX little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13121; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13151; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13101; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13128; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13145; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13133; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13106; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13153; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13119; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13112; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13126; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13104; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13132; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13139; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity WriteAndX unicode little endian andx integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13099; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13116; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity WriteAndX unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13111; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13147; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 srvsvc NetSetFileSecurity integer overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13140; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13156; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13124; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity WriteAndX andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13109; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13130; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13114; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13137; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity unicode little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13102; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 srvsvc NetSetFileSecurity little endian integer overflow attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|28 00|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13142; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc NetSetFileSecurity object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13149; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13122; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity WriteAndX unicode andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13107; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity little endian andx integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13100; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13152; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 28|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13113; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP srvsvc NetSetFileSecurity integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13136; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 srvsvc NetSetFileSecurity integer overflow attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; content:"|00 28|"; within:2; distance:28; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13129; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity little endian integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|28 00|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13144; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13134; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP srvsvc NetSetFileSecurity little endian object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13154; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB srvsvc NetSetFileSecurity unicode little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13118; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS srvsvc NetSetFileSecurity little endian andx object call integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13120; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB srvsvc NetSetFileSecurity WriteAndX unicode little endian andx object call integer overflow attempt"; flowbits:isset,dce.bind.srvsvc; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|28 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,=,4294967295,40,little,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13127; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.srvsvc; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 28|"; within:2; distance:19; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; byte_test:4,=,4294967295,40,relative; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:13146; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"DELETED POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"DELETED POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:10;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:10;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:11;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:8;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:4;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:4;) # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"DELETED TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-CLIENT HP OpenView Network Node Manager Toolbar.exe HTTP request buffer overflow attempt"; flow:established,to_server; content:"/ToolBar.exe?"; nocase; http_uri; content:"GET "; nocase; pcre:"/\x2fToolBar\x2eexe\x3f.*?(Context|Action)=[^\x20\x26]{1025}/Ui"; reference:bugtraq,33147; reference:cve,2008-0067; classtype:attempted-user; sid:15242; rev:5;) # alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"DELETED BACKDOOR subseven 22"; flow:to_client,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:11;) # alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR subseven DEFCON8 2.1 acces s"; flow:to_client,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:10;) # alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"DELETED MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:8;) # alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"DELETED MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2103 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:12976; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2103 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:12973; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2103 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:12975; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2103 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP mqqm little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; distance:29; flowbits:set,dce.bind.mqqm; flowbits:noalert; classtype:bad-unknown; sid:12974; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"DELETED P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3104 (msg:"DELETED EXPLOIT CA message queuing erroneous length field"; flow:to_server,established; pcre:!"/^[0-9][0-9]/"; reference:bugtraq,25051; reference:cve,2007-0060; classtype:attempted-user; sid:12254; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"DELETED EXPLOIT ntpdx overflow attempt"; flow:to_server; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; reference:nessus,10647; classtype:attempted-admin; sid:312; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; content:".csp"; http_uri; content:".csp"; content:"."; within:1; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2064; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3588; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3571; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3574; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3562; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3612; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3585; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3614; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3607; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3584; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3563; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3623; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3566; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3618; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3581; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3577; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3624; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3611; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3589; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3586; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3565; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3570; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3617; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3608; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3603; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3620; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3573; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3582; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3609; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3569; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3576; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3604; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3610; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3602; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3605; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3572; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3564; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3587; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3583; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3568; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3616; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3579; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3625; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3606; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3615; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3580; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3613; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3575; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3621; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3578; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8,little; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3619; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.mqqm.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 09|"; within:2; distance:19; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,512,8; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:protocol-command-decode; sid:3622; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB mqqm bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"0|A0 B3 FD|_|06 D1 11 BB 9B 00 A0 24 EA|U%"; within:16; distance:29; flowbits:set,dce.mqqm.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3567; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB Trans andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:"|5C|MAILSLOT|5C|"; within:10; distance:4; pcre:"/^((Messngr|Alerter)\x00|(?!.*\x00))/Ri"; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7045; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:"|5C|MAILSLOT|5C|"; within:10; distance:4; pcre:"/^((Messngr|Alerter)\x00|(?!.*\x00))/Ri"; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7046; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS Trans unicode andx mailslot heap overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:"|5C|MAILSLOT|5C|"; within:10; distance:4; pcre:"/^((Messngr|Alerter)\x00|(?!.*\x00))/Ri"; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7044; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS Trans andx mailslot heap overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:"|5C|MAILSLOT|5C|"; within:10; distance:4; pcre:"/^((Messngr|Alerter)\x00|(?!.*\x00))/Ri"; reference:bugtraq,18864; reference:cve,2006-1314; reference:cve,2006-3942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-035; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-063; classtype:protocol-command-decode; sid:7043; rev:9;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|EB|0^|FC AD 93 AD 8D 1C 18 AD 8D 14 18 87 D1|VZ|01 1E AD E2 FB|V|8B 02|"; classtype:shellcode-detect; sid:10506; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|EB|'[|8B F3|3|C9 B1 87 8B FB 8A 13 83 C3 01 80 E2 0F C0 E2 04 8A 03 83 C3|"; classtype:shellcode-detect; sid:10507; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"U|89 E5 83 EC|P|E8 00 00 00 00|[|89 DC 83 EC| |81 E4 00 FF FF FF 8D 83|^"; classtype:shellcode-detect; sid:10508; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"SQ|83 EC 14 C7|D|24 FC 00 00 00 00 C7|D|24 F8 01 00 00 00 C7|D|24 F4 02|"; classtype:shellcode-detect; sid:10509; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|EB 19|[|8B|3|8B|{|04 01 FE 8B|K|08 01 F1 83 C3 0C 01|3|83 C3 04 E2 F9 EB|"; classtype:shellcode-detect; sid:10510; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|EB|AX|8B D8 8B|3|8B|{|04 03 F7 8B|K|08 03 CE|3|C0 B0 08|@@@@|03|"; classtype:shellcode-detect; sid:10511; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|82 18|@|01 80 A0|@|01|&|BF FF FF|&|BF FF FF 7F FF FF FF 8A 18|@|01 BE 23|"; classtype:shellcode-detect; sid:10512; rev:3;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE Canvas shellcode basic encoder"; content:"|EB|AX|8B D8 8B|3|8B|{|04 03 F7 8B|K|03 CE|3|C0 B0|@@@@|03 D8 8B|"; classtype:shellcode-detect; sid:10513; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID access"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; classtype:attempted-user; sid:7972; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00C\x00D\x00A\x00A\x000\x003\x00-\x008\x00B\x00E\x004\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x004\x00B\x00-\x000\x000\x002\x000\x00A\x00F\x00B\x00B\x00C\x00C\x00F\x00A\x00/si"; classtype:attempted-user; sid:7973; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - file management"; flow:to_server,established; content:"|01 02|"; depth:2; nocase; flowbits:set,superSpy_20_Beta_FileMgt; flowbits:noalert; classtype:trojan-activity; sid:8476; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt"; flow:to_server,established; content:"subscribe"; nocase; pcre:"/^\S+\s+subscribe\s*\{\s/smi"; byte_test:5,>,250,0,string,dec,relative; reference:bugtraq,24962; reference:cve,2007-3927; reference:url,www.ipswitch.com/support/ics/updates/ics200621.asp; classtype:attempted-admin; sid:12214; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt"; flow:to_server,established; content:"subscribe"; nocase; pcre:"/^\S+\s+subscribe\s+[^\n]{250}/smi"; reference:bugtraq,24962; reference:cve,2007-3927; reference:url,www.ipswitch.com/support/ics/updates/ics200621.asp; classtype:attempted-admin; sid:12215; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT ADODB.Stream ActiveX CLSID access"; flow:established,to_client; content:"00000566-0000-0010-8000-00AA006D2EA4"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; classtype:attempted-user; sid:8061; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access"; flow:established,to_client; content:"I|00|E|00|R|00|P|00|C|00|t|00|l|00|.|00|I|00|E|00|R|00|P|00|C|00|t|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12671; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; pcre:"/]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q1)(\s|>)/si"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12668; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access"; flow:established,to_client; content:"IERPCtl.IERPCtl"; pcre:"/(?P\w+)\s*=\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\)/smi"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12670; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access"; flow:established,to_client; content:"F|00|D|00|C|00|7|00|A|00|5|00|3|00|5|00|-|00|4|00|0|00|7|00|0|00|-|00|4|00|B|00|9|00|2|00|-|00|A|00|0|00|E|00|A|00|-|00|D|00|9|00|9|00|9|00|4|00|B|00|C|00|C|00|0|00|D|00|C|00|5|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12669; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:12;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 4 requests"; flow:to_server; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3446; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 9 requests"; flow:to_server; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3451; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 5 requests"; flow:to_server; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3447; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 2 requests"; flow:to_server; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3444; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 1 requests"; flow:to_server; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3443; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 10 requests"; flow:to_server; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3452; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 6 requests"; flow:to_server; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3448; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 3 requests"; flow:to_server; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3445; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 8 requests"; flow:to_server; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3450; rev:9;) # alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 7 requests"; flow:to_server; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3449; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"DELETED MISC rsyncd overflow attempt"; flow:to_server,established; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.alternate.login; content:"|17 03 01 00 D9|"; depth:5; classtype:policy-violation; sid:6001; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED P2P Skype client login startup"; flow:to_server,established; content:"|16 03 01 00 CD|"; depth:5; flowbits:set,skype.alternate.login; flowbits:noalert; classtype:policy-violation; sid:6000; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"DELETED EXPLOIT Zenworks password authentication buffer overflow"; flow:established, to_server; content:"|00 01|"; depth:2; offset:16; byte_jump:2, 0, relative; byte_jump:2, 0, relative; byte_jump:2, 0, relative; content:"|00 01 00 02|"; within:4; distance:2; byte_test:2,>,28,0,relative; classtype:attempted-admin; sid:11617; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI scriptalias access"; flow:to_server,established; content:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query exair query.idq directory traversal attempt"; flow:to_server,established; content:"/iissamples/exair/search/query.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10397; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query iissamples fastq.idq directory traversal attempt"; flow:to_server,established; content:"/iissamples/issamples/fastq.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10399; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query iissamples query.idq directory traversal attempt"; flow:to_server,established; content:"/iissamples/issamples/query.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10400; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query query.idq directory traversal attempt"; flow:to_server,established; content:"/query.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10396; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query exair search.idq directory traversal attempt"; flow:to_server,established; content:"/iissamples/exair/search/search.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10398; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS Internet Data Query prxdocs prxrch.idq directory traversal attempt"; flow:to_server,established; content:"/prxdocs/misc/prxrch.idq?"; nocase; http_uri; content:"CiTemplate="; nocase; http_uri; reference:bugtraq,968; reference:cve,2000-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:10401; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR reversable ver1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,ReVerSaBle_InitConnection; content:"OKCONNECTTOME"; depth:13; reference:url,www.megasecurity.org/trojans/r/reversable/Reversable1.0.html; classtype:trojan-activity; sid:7725; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10158; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10159; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10160; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2952; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:537; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2953; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:538; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2954; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB IPC$ share access"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2465; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2955; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB IPC$ unicode share access"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2466; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC whisker space splice attack"; flow:to_server,established; dsize:1; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x009\x00E\x00A\x00C\x009\x00E\x006\x00-\x00B\x00A\x00F\x009\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00B\x00A\x009\x000\x00B\x00/si"; classtype:attempted-user; sid:7963; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x009\x00E\x00A\x00C\x009\x00E\x006\x00-\x00B\x00A\x00F\x009\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00B\x00A\x009\x000\x00B\x00/si"; classtype:attempted-user; sid:7967; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access"; flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B/si"; classtype:attempted-user; sid:7962; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access"; flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B/si"; classtype:attempted-user; sid:7966; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x009\x00E\x00A\x00C\x009\x00E\x006\x00-\x00B\x00A\x00F\x009\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00B\x00A\x009\x000\x00B\x00/si"; classtype:attempted-user; sid:7969; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x009\x00E\x00A\x00C\x009\x00E\x006\x00-\x00B\x00A\x00F\x009\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00B\x00A\x009\x000\x00B\x00/si"; classtype:attempted-user; sid:7965; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access"; flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B/si"; classtype:attempted-user; sid:7964; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access"; flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B/si"; classtype:attempted-user; sid:7968; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x009\x00E\x00A\x00C\x009\x00E\x006\x00-\x00B\x00A\x00F\x009\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x004\x00B\x00A\x009\x000\x00B\x00/si"; classtype:attempted-user; sid:7961; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID access"; flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B/si"; classtype:attempted-user; sid:7960; rev:6;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR icmp cmd 1.0 runtime detection - download file"; itype:0; content:"http|3A|//"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10106; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10805; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10701; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10770; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10751; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10713; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10709; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10735; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10766; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10721; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10745; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10758; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10790; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10743; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10782; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10803; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10703; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10772; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10732; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10760; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10723; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10705; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10733; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10710; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10698; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10749; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10761; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10795; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10791; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10780; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10784; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10752; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10809; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10731; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10707; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10737; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10768; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10754; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10793; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10797; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10807; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10711; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10779; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10720; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10800; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10804; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10771; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10744; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10719; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10798; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10724; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10783; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10759; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10722; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10802; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10773; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10704; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10742; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10725; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10706; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10781; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10799; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10736; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10730; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10769; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10785; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10808; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10778; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10757; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10794; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10712; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10753; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns WriteAndX little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10767; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10801; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10734; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10718; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10755; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10796; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10792; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10746; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A4 C2 AB|PMW|B3|@@|9D|f|EE|O|D5 FB A0|v"; distance:29; flowbits:set,dce.bind.dns; flowbits:noalert; classtype:protocol-command-decode; sid:10806; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10665; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10544; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10593; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10597; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10681; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10671; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 unicode little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10575; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10619; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10636; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10585; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10604; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10642; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 unicode overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10569; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10582; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10571; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10621; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10628; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10678; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10595; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10692; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10591; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10673; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10559; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10657; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs2 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10697; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10525; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10663; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10549; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10639; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10567; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10564; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10634; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10612; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10675; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10553; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10626; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10557; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10615; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10668; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10540; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10527; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10547; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10695; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10534; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10684; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10650; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10551; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 unicode little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10647; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10543; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10682; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10584; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10620; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10561; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10538; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10666; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10677; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10610; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10693; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10605; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10633; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10526; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10611; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10691; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10656; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10578; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10662; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs2 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10694; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 unicode andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10641; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10660; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10680; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10643; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10594; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10598; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10629; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10670; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10539; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10654; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10563; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10689; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10528; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10631; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10541; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10532; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10576; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10596; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10618; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10570; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10565; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10579; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10562; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10524; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10548; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10687; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10554; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10674; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10625; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10590; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10607; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10655; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10583; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10616; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10635; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10533; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs2 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10696; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10535; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10685; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10667; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10651; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10613; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs2 WriteAndX unicode little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10623; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 WriteAndX unicode little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10588; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10556; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10546; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10606; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x05\x00|\x06\x00|\x07\x00|\x08\x00|\x09\x00|\x0b\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10599; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs2 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10648; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10676; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs2 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10683; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs2 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10637; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs2 unicode andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x05|\x00\x06|\x00\x07|\x00\x08|\x00\x09|\x00\x0b)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10600; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10968; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10844; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10885; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10833; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10891; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10942; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10954; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10852; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10867; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10830; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10921; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10821; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10888; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10863; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10944; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10870; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10842; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10935; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10974; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10966; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10908; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10957; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10835; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10947; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10961; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10940; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10883; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10869; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10865; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10930; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 unicode little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10822; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10917; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10813; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10937; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10963; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10836; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10913; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10816; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10906; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10934; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10939; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10846; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10915; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 unicode overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10857; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10959; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10932; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10875; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10824; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10838; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10893; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10943; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10965; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10818; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10928; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10904; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10841; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs1 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10976; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10953; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10848; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10873; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10850; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 little endian overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10861; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode little endian andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10945; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10820; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10862; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10889; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10912; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10855; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10811; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10955; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10941; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10969; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10845; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10871; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10924; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10831; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10890; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10960; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 unicode andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10929; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs1 object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10970; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10922; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10868; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10902; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode little endian andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10918; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 unicode little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10910; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10967; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 unicode little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10814; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10907; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10977; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs1 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10972; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10832; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs1 object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10975; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10916; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10872; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX unicode overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10856; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10933; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10958; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 andx overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10896; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 unicode overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10849; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP dns R_Dnssrv funcs1 overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10962; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX little endian andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10905; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10881; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 unicode little endian andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10894; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP dns R_Dnssrv funcs1 overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10956; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10927; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10834; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode andx overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10920; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 unicode overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10817; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 WriteAndX little endian overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10858; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10840; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB dns R_Dnssrv funcs1 WriteAndX unicode andx object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10914; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10860; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_Dnssrv funcs1 little endian object call overflow attempt"; flow:established,to_server; flowbits:isset,dce.bind.dns; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10973; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX little endian object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10843; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 dns R_Dnssrv funcs1 little endian overflow attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10964; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 andx overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10892; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB dns R_Dnssrv funcs1 WriteAndX unicode andx object call overflow attempt"; flow:to_server; flowbits:isset,dce.bind.dns; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; pcre:"/^.{19}(\x00\x00|\x00\x01|\x00\x02|\x00\x03|\x00\x04|\x00\x0a)/sR"; pcre:"/^.{16}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align; byte_test:4,>,256,4,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10903; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB v4 dns R_Dnssrv funcs1 unicode little endian andx overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10886; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 dns R_Dnssrv funcs1 WriteAndX little endian overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|A4 C2 AB|PMW|B3|@|9D|f|EE|O|D5 FB A0|v"; within:16; distance:22; pcre:"/^.{28}(\x00\x00|\x01\x00|\x02\x00|\x03\x00|\x04\x00|\x0a\x00)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,relative,align; byte_test:4,>,256,4,little,relative; reference:bugtraq,23470; reference:cve,2007-1748; classtype:attempted-admin; sid:10819; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Bitmap Transfer"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)image\x2fbmp/smi"; flowbits:set,file.bmp; flowbits:noalert; classtype:protocol-command-decode; sid:3684; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2308; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2309; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2310; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2311; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2315; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC Workstation Service direct service access attempt"; flow:to_server; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:misc-attack; sid:2316; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"DELETED BACKDOOR mass connect 1.1 runtime detection - http"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"UtilMind"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*UtilMind\s+HTTPGet/smi"; reference:url,splintersecurity.com/DownloadDB/pafiledb.php?action=file&id=462; classtype:trojan-activity; sid:7100; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DELETED DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2500; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:8;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2534; rev:9;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 SSLv2 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3509; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3506; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3505; rev:3;) # alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"DELETED POP3 TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3510; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3507; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3508; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP Mozilla regular expression heap corruption attempt"; flow:established, to_server; content:"RegExp"; nocase; pcre:"/(\x22(\x5C.|[^\x5C\x22])*\x5B(\x5C.|[^\x5C\x22\x5D])*\x5C\x5C\x22|\x27(\x5C.|[^\x5C\x27])*\x5B(\x5C.|[^\x5C\x27\x5D])*\x5C\x5C\x27)/sm"; reference:bugtraq,20042; reference:cve,2006-4566; classtype:attempted-user; sid:8442; rev:2;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:708; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:702; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:703; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:690; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:696; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:697; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:698; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"DELETED SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:700; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:674; rev:12;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:675; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:682; rev:14;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:699; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:701; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:705; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:706; rev:13;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"DELETED SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-092; classtype:attempted-user; sid:707; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC ///cgi-bin access"; flow:to_server,established; content:"///cgi-bin"; nocase; http_uri; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC /cgi-bin/// access"; flow:to_server,established; content:"/cgi-bin///"; nocase; http_uri; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Open document file transfer attempt"; flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; flowbits:set,odf.file; flowbits:noalert; classtype:not-suspicious; sid:8447; rev:3;) # alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR DonaldDick 1.53 Traffic"; flow:to_client,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"DELETED BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:4;) # alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR uprising screen control 1.0 runtime detection - begin capture"; flow:to_client,established; flowbits:isset,Uprising_Screen_Control_BeginCapture; content:"/GR"; depth:3; pcre:"/^\x2fGR\d+\x3B\d+/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; classtype:trojan-activity; sid:7095; rev:5;) # alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR uprising screen control 1.0 runtime detection - init connectiion"; flow:to_client,established; flowbits:isset,Uprising_Screen_Control_InitConnection; content:"/LO"; depth:3; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; classtype:trojan-activity; sid:7093; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"DELETED BACKDOOR uprising screen control 1.0 runtime detection"; flow:to_server,established; content:"/GR"; depth:3; flowbits:set,Uprising_Screen_Control_BeginCapture; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; classtype:trojan-activity; sid:7094; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"DELETED BACKDOOR uprising screen control 1.0 runtime detection"; flow:to_server,established; content:"/LR"; depth:3; flowbits:set,Uprising_Screen_Control_InitConnection; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; classtype:trojan-activity; sid:7092; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2251; rev:18;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI NPH-publish access"; flow:to_server,established; content:"/nph-publish"; nocase; http_uri; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:12;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI pfdisplay.cgi access"; flow:to_server,established; content:"/pfdispaly.cgi"; nocase; http_uri; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:12;) # alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"DELETED BACKDOOR Infector 1.6 Server to Client"; flow:established,to_client; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:11;) # alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR NetSphere 1.31.337 access"; flow:to_client,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR charon runtime detection - download log"; flow:to_client,established; flowbits:isset,backdoor.charon.download.log.2; content:"SEND|7C|"; depth:5; nocase; flowbits:unset,backdoor.charon.download.log.2; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7063; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR net devil 1.4 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,NetDevil_Init2; content:"ver1.4"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7781; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR net devil 1.4 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,NetDevil_Init1; content:"version"; nocase; flowbits:set,NetDevil_Init2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7780; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"DELETED BACKDOOR screen control 1.0 runtime detection - capture on port 2208 - flowbit set"; flow:to_server,established; content:"/GR"; flowbits:set,ScreenControl_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7666; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR net devil 1.4 runtime detection - initial connection - flowbit set 1"; flow:to_client,established; content:"passed"; depth:6; nocase; flowbits:set,NetDevil_Init1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7779; rev:4;) # alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR vampire runtime detection"; flow:to_client,established; flowbits:isset,backdoor.vampire.runtime.detection; content:"Vampire"; depth:7; nocase; content:"Server On-Line....."; distance:0; nocase; pcre:"/^Vampire\s+v\d+\x2E\d+\s+Server\s+On-Line\x2E\x2E\x2E\x2E\x2E/i"; reference:url,www.megasecurity.org/trojans/v/vampire/Vampire1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=6513; classtype:trojan-activity; sid:7110; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"DELETED BACKDOOR vampire runtime detection"; flow:to_server,established; content:"Hello..."; depth:8; nocase; flowbits:set,backdoor.vampire.runtime.detection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/v/vampire/Vampire1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=6513; classtype:trojan-activity; sid:7109; rev:4;) # alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR amanda 2.0 runtime detection - initial connection"; flow:to_client,established; content:"Connected"; depth:9; nocase; content:"To"; distance:0; nocase; content:"Amanda"; distance:0; nocase; pcre:"/^Connected\s+To\s+Amanda\s+\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=1374; classtype:trojan-activity; sid:7056; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BACKDOOR y3k 1.2 runtime detection - icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7117; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".asp"; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1801; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:11;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"DELETED BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"DELETED BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:8;) # alert ip any any -> any any (msg:"DELETED BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:10;) # alert udp any 4000 -> any any (msg:"DELETED EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:6;) # alert udp any 4000 -> any any (msg:"DELETED EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:6;) # alert udp any 4000 -> any any (msg:"DELETED EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2519; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:2538; rev:4;) # alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"DELETED SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:2539; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2540; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:4;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:9;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DELETED DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI MachineInfo access"; flow:to_server,established; content:"/MachineInfo"; nocase; http_uri; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI campus access"; flow:to_server,established; content:"/campus"; nocase; http_uri; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-activity; sid:1653; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; content:"/isapi/tstisapi.dll"; nocase; http_uri; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT HTML Help ActiveX Object Access"; flow:to_client,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;KB828750; reference:url,support.microsoft.com/default.aspx?scid=kb\;en-us\;Q293338; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:4149; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2505; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tls1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|03 01|"; depth:2; offset:4; flowbits:set,tls1.client_hello.request; flowbits:noalert; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:3060; rev:4;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.bind.ISystemActivator; detection_filter:track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-012; classtype:misc-attack; sid:2494; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.bind.ISystemActivator; detection_filter:track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-012; classtype:misc-attack; sid:2495; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.bind.ISystemActivator; detection_filter:track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-012; classtype:misc-attack; sid:2496; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3251; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3248; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3270; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3255; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3265; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3268; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3250; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3264; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3247; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3254; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3269; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3262; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3246; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3253; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3263; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3249; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3271; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3252; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3266; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-010; classtype:protocol-command-decode; sid:3267; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3707; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3802; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3727; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3771; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3743; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3787; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3794; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3750; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3730; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3726; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3812; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3790; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3713; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3738; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3721; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3766; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3807; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3784; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3712; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3779; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3747; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3704; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3775; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3780; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3754; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3799; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3761; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3742; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3808; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3803; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3708; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3793; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3736; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3731; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3772; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3746; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3755; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3737; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3764; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3804; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3765; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3716; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3798; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3783; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3760; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3705; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3776; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3759; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3722; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3723; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3741; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3752; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3706; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3786; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3782; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3792; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3735; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3732; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3763; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3810; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3796; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3724; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3719; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3709; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3757; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3809; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP veritas alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3769; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP veritas alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3773; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3728; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3777; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3756; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3768; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3797; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3740; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3710; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3800; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3745; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3715; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3718; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3751; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3701; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3805; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3734; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3791; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3811; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3785; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3762; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3795; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP veritas bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3770; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3725; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3744; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3749; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3788; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3781; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3806; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3801; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3758; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3714; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3789; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3703; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3767; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3711; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3748; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP veritas bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3774; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3729; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3778; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3720; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3753; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS veritas WriteAndX andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3739; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3733; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3702; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"|D0 1F 84 93 CE 16 CE 11 85 0D 02|`|8C|D|96|{"; distance:29; flowbits:set,dce.bind.veritas; classtype:protocol-command-decode; sid:3717; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3919; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3936; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3906; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4018; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4025; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4036; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4046; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3939; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList unicode little endian attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4059; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4019; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3928; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3923; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3944; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3914; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4033; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3903; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3935; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3940; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4029; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4058; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3932; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3896; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3947; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3918; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3927; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4021; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4051; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4026; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3913; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3937; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3895; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX little endian andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4030; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3945; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3905; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr bind attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3909; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4034; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3933; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3950; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList unicode attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4057; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3920; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr little endian alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3902; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList unicode little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4043; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3941; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3948; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4016; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3917; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4022; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4050; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3924; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3897; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4054; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3892; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode little endian andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3925; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3912; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3908; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4047; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4040; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3901; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4023; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3930; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList unicode andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4056; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX little endian alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3916; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3949; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3898; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4044; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3929; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3951; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4031; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4037; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4027; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4035; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr PNP_QueryResConfList little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4017; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3931; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode andx alter context attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3893; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3911; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT v4 umpnpmgr PNP_QueryResConfList attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:3946; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList unicode attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4041; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4024; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"6|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4055; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3915; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode little endian bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3943; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 593 (msg:"DELETED NETBIOS DCERPC NCACN-HTTP umpnpmgr alter context attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3900; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4053; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode andx alter context attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3921; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3938; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr little endian bind attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3907; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4048; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList little endian attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4039; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX unicode attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4049; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_DetectResourceConflict unicode little endian andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"5|00|"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4125; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList unicode little endian andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4042; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3926; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr unicode little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3942; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr PNP_QueryResConfList attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4020; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList andx attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4052; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4028; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr little endian andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3934; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"DELETED NETBIOS DCERPC NCADG-IP-UDP umpnpmgr little endian alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3910; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3894; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB v4 umpnpmgr PNP_QueryResConfList WriteAndX attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; within:16; distance:22; content:"|00|6"; within:2; distance:28; pcre:"/^.{10}/sR"; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4045; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr WriteAndX unicode andx bind attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3922; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList WriteAndX unicode andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,&,8,15,relative,little; byte_jump:2,25,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00|6"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4032; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED NETBIOS DCERPC DIRECT-UDP umpnpmgr alter context attempt"; flow:to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0E|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3904; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS umpnpmgr unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@N|9F 8D|=|A0 CE 11 8F|i|08 00|>0|05 1B|"; distance:29; flowbits:set,dce.bind.umpnpmgr; flowbits:noalert; classtype:protocol-command-decode; sid:3899; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB umpnpmgr PNP_QueryResConfList little endian andx attempt"; flow:to_server; flowbits:isset,dce.bind.umpnpmgr; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"6|00|"; within:2; distance:19; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:protocol-command-decode; sid:4038; rev:5;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2516; rev:15;) # alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"DELETED BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:11;) # alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"DELETED BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:8;) # alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"DELETED BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:6;) # alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"DELETED BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:9;) # alert ip any any -> 216.80.99.202 any (msg:"DELETED BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; reference:cve,2002-2049; classtype:trojan-activity; sid:1791; rev:6;) # alert tcp any any -> 212.146.0.34 1963 (msg:"DELETED BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:10;) # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"DELETED INFO TELNET access"; flow:to_client,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"DELETED FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:5;) # alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"DELETED MISC Invalid PCAnywhere Login"; flow:to_client,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"DELETED MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED P2P Inbound GNUTella client request"; flow:established; flags:A+; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DELETED WEB-MISC O'Reilly args.bat access"; flow:to_server,established; content:"/cgi-dos/args.bat"; nocase; http_uri; classtype:attempted-recon; sid:1121; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DELETED WEB-CGI edit.pl access"; flow:to_server,established; content:"/edit.pl"; nocase; http_uri; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DELETED EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DELETED WEB-MISC prefix-get //"; flow:to_server,established; content:"get //"; nocase; http_uri; classtype:attempted-recon; sid:1114; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DELETED EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; content:"/traace.axd"; nocase; http_uri; classtype:web-application-attack; sid:1749; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/../../../../../../../../../../../"; http_uri; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:13;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED ATTACK RESPONSES directory listing"; flow:to_client,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:8;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:5;) # alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"DELETED X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"DELETED FINGER cybercop redirection"; flow:to_server,established; dsize:11; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI swc attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; classtype:attempted-recon; sid:1477; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>258; content:"/fp30reg.dll"; nocase; http_uri; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-attack; sid:1246; rev:18;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>259; content:"/fp4areg.dll"; nocase; http_uri; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT partial body overflow attempt"; flow:to_server,established; dsize:>1092; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"DELETED NNTP Cassandra Overflow"; flow:to_server,established; dsize:>512; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; content:"/bin/shA-cA/usr/openwin"; nocase; http_uri; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"DELETED EXPLOIT bootp x86 bsd overfow"; flow:to_server; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"DELETED EXPLOIT bootp x86 linux overflow"; flow:to_server; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:7;) # alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR netbus active"; flow:established; flags:A+; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"DELETED BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:6;) # alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR BackOrifice access"; flow:established; flags:A+; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"DELETED BACKDOOR BackOrifice access"; flow:to_server; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:7;) # alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Active on Network"; flow:to_client; reference:arachnids,106; classtype:misc-activity; sid:164; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; flow:to_server; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Show Picture Client Request"; flow:to_server; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; flow:to_server; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; flow:to_server; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; flow:to_server; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; flow:to_server; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; flow:to_server; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; flow:to_server; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:8;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; flow:to_server; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; flow:to_server; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; flow:to_server; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; flow:to_server; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; flow:to_server; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; flow:to_server; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Process List Client request"; flow:to_server; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; flow:to_server; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Registry Add Client Request"; flow:to_server; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 System Info Client Request"; flow:to_server; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 FTP Status Client Request"; flow:to_server; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:7;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; flow:to_client; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; flow:to_server; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:7;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Status From Server"; flow:to_client; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Status Client Request"; flow:to_server; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:7;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Drive Info From Server"; flow:to_client; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:7;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 System Info From Server"; flow:to_client; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Drive Info Client Request"; flow:to_server; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:7;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; flow:to_client; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; flow:to_server; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; flow:to_server; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; flow:to_server; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; flow:to_server; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Rehash Client Request"; flow:to_server; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; flow:to_server; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; flow:to_server; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; flow:to_server; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; flow:to_server; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"DELETED BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; flow:to_server; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:7;) # alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Server Active on Network"; flow:to_client; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; flow:to_server; reference:arachnids,106; classtype:misc-activity; sid:151; rev:7;) # alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Wrong Password"; flow:to_client; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; flow:to_server; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:7;) # alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"DELETED BACKDOOR DeepThroat access"; flow:to_client; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:8;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; flow:to_server; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Delete File Client Request"; flow:to_server; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Kill Window Client Request"; flow:to_server; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Disable Window Client Request"; flow:to_server; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Enable Window Client Request"; flow:to_server; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; flow:to_server; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide Window Client Request"; flow:to_server; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Show Window Client Request"; flow:to_server; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; flow:to_server; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; flow:to_server; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Create Directory Client Request"; flow:to_server; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 All Window List Client Request"; flow:to_server; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Play Sound Client Request"; flow:to_server; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; flow:to_server; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; flow:to_server; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Get NET File Client Request"; flow:to_server; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Find File Client Request"; flow:to_server; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 Find File Client Request"; flow:to_server; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; flow:to_server; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; flow:to_server; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:7;) # alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"DELETED BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; flow:to_server; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DELETED DNS named iquery attempt"; flow:to_server; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:9;) # alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"DELETED BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; flow:to_client; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:348; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq,113; reference:cve,1999-0368; classtype:attempted-admin; sid:352; rev:8;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"DELETED RPC EXPLOIT ttdbserv solaris overflow"; flow:to_server,established; dsize:>999; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"DELETED RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize:>999; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap request yppasswdd"; flow:to_server; rpc:100009,*,*; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:1296; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:1297; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"DELETED RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:7;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"DELETED RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI webstore directory traversal"; flow:to_server,established; content:"/web_store.cgi?page=../.."; http_uri; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:299; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"DELETED SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"DELETED RPC rstatd query"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"DELETED RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:6;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED ATTACK-RESPONSES id check returned nobody"; flow:to_client,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:7;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED ATTACK-RESPONSES id check returned web"; flow:to_client,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:7;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED ATTACK-RESPONSES id check returned http"; flow:to_client,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:7;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED ATTACK-RESPONSES id check returned apache"; flow:to_client,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:12;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED DOS Land attack"; flow:stateless; flags:S; id:3868; seq:3868; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:8;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:16;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"DELETED RPC portmap tooltalk request UDP"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:16;) # alert tcp any 110 -> any any (msg:"DELETED Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:mcafee,98775; classtype:misc-activity; sid:731; rev:9;) # alert tcp any any -> any 25 (msg:"DELETED Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:mcafee,98775; classtype:misc-activity; sid:733; rev:8;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:7;) # alert tcp any any -> any 25 (msg:"DELETED Virus - Successful eurocalculator execution"; flow:established; flags:PA; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:7;) # alert tcp any any -> any 110 (msg:"DELETED Virus - Possible Pikachu Pokemon Virus"; flow:established; flags:PA; content:"Pikachu Pokemon"; reference:mcafee,98696; classtype:misc-activity; sid:738; rev:10;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:mcafee,10389; classtype:misc-activity; sid:739; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:mcafee,10497; classtype:misc-activity; sid:740; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:mcafee,10109; classtype:misc-activity; sid:741; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:mcafee,10109; classtype:misc-activity; sid:742; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:mcafee,10109; classtype:misc-activity; sid:743; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:mcafee,10109; classtype:misc-activity; sid:744; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:mcafee,10145; classtype:misc-activity; sid:745; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:mcafee,10225; classtype:misc-activity; sid:746; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:8;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:mcafee,10388; classtype:misc-activity; sid:748; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:mcafee,10471; classtype:misc-activity; sid:749; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:mcafee,10509; classtype:misc-activity; sid:751; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:mcafee,10361; classtype:misc-activity; sid:752; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:753; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:mcafee,10502; classtype:misc-activity; sid:754; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:mcafee,98552; classtype:misc-activity; sid:755; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:mcafee,10355; classtype:misc-activity; sid:756; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:mcafee,10505; classtype:misc-activity; sid:757; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:mcafee,10478; classtype:misc-activity; sid:758; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:mcafee,10502; classtype:misc-activity; sid:759; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:mcafee,10467; classtype:misc-activity; sid:760; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:761; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:762; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:763; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:764; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:765; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:766; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:767; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:768; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:769; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:770; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:771; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:mcafee,10175; classtype:misc-activity; sid:772; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:mcafee,10144; classtype:misc-activity; sid:773; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:6;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:mcafee,10418; classtype:misc-activity; sid:775; rev:8;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:776; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:mcafee,10467; classtype:misc-activity; sid:777; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:mcafee,10461; classtype:misc-activity; sid:778; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:779; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:780; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:781; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:782; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:783; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:784; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:785; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:786; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:787; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:788; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:8;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:mcafee,10540; classtype:misc-activity; sid:791; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:mcafee,98661; classtype:misc-activity; sid:792; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:mcafee,98661; classtype:misc-activity; sid:794; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:mcafee,98674; classtype:misc-activity; sid:799; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:mcafee,98661; classtype:misc-activity; sid:800; rev:9;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:7;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:mcafee,1054; classtype:misc-activity; sid:789; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:6;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2254; rev:5;) # alert tcp any 110 -> any any (msg:"DELETED Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:mcafee,10450; classtype:misc-activity; sid:802; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS multiple decode attempt"; flow:to_server,established; content:"%5c"; http_uri; content:".."; http_uri; reference:bugtraq,2708; reference:cve,2001-0333; reference:nessus,10671; classtype:web-application-attack; sid:970; rev:14;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Tomcat sourecode view"; flow:to_server,established; content:".js%2570"; nocase; http_uri; classtype:attempted-recon; sid:1236; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Tomcat sourecode view"; flow:to_server,established; content:".j%2573p"; nocase; http_uri; classtype:attempted-recon; sid:1237; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Tomcat sourecode view"; flow:to_server,established; content:".%256Asp"; nocase; http_uri; classtype:attempted-recon; sid:1238; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI faxsurvey attempt full path"; flow:to_server,established; content:"/faxsurvey?/"; nocase; http_uri; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; content:"/faxsurvey?cat%20"; nocase; http_uri; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:11;) # alert tcp any any -> any 139 (msg:"DELETED Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:mcafee,98775; classtype:misc-activity; sid:732; rev:10;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:8;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:8;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:5;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:8;) # alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"DELETED VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC ?open access"; flow:to_server,established; content:"?open"; nocase; http_uri; classtype:web-application-activity; sid:1561; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; classtype:web-application-activity; sid:1665; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"DELETED TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"DELETED SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2503; rev:12;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"DELETED WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2506; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"DELETED MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2499; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"DELETED IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2498; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN nmap TCP"; flow:stateless; ack:0; flags:A,12; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SCAN nmap fingerprint attempt"; flow:stateless; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,1999-0997; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:1530; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2385; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2384; rev:12;) # alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"DELETED MISC Cisco Catalyst Remote Access"; flow:stateless; flags:SA,12; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DELETED SCAN Proxy Port 8080 attempt"; flow:stateless; flags:S,12; classtype:attempted-recon; sid:620; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"DELETED SCAN SOCKS Proxy attempt"; flow:stateless; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"DELETED SCAN Squid Proxy attempt"; flow:stateless; flags:S,12; classtype:attempted-recon; sid:618; rev:11;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:981; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:982; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:983; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:1945; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP CWD ~ attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"DELETED FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; reference:cve,2002-0915; classtype:denial-of-service; sid:1779; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC b2 access"; flow:to_server,established; content:"/b2/b2-include/"; http_uri; content:"b2inc"; content:"http|3A|//"; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1758; rev:10;) # alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"DELETED MULTIMEDIA Windows Media Video download"; flow:to_client,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC order.log access"; flow:to_server,established; content:"/admin_files/order.log"; nocase; http_uri; classtype:attempted-recon; sid:1176; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI /cart/cart.cgi access"; flow:to_server,established; content:"/cart/cart.cgi"; http_uri; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:10;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:4;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:2;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DELETED ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC cgitest.exe attempt"; flow:to_server,established; content:"/cgitest.exe|0D 0A|user"; nocase; http_uri; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:20;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; nocase; http_uri; classtype:web-application-attack; sid:1328; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS ps command attempt"; flow:to_server,established; content:"ps%20"; nocase; http_uri; classtype:web-application-attack; sid:1329; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; reference:bugtraq,10361; reference:cve,2004-2014; classtype:web-application-attack; sid:1330; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /bin/ls piped command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; nocase; http_uri; classtype:web-application-attack; sid:1368; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; nocase; http_uri; classtype:web-application-attack; sid:1369; rev:8;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:7;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:8;) # alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"DELETED INFO TELNET Bad Login"; flow:to_client,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"DELETED POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-dos; sid:2501; rev:13;) # alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR netbus 1.7 runtime detection - initial connection"; flow:to_client,established; content:"NetBus"; depth:6; nocase; pcre:"/^NetBus\s+\d+\x2E\d+/smi"; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:6038; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR optixlite 1.0 runtime detection - conn failure-cts"; flow:to_server,established; content:"password|3B|"; depth:9; nocase; flowbits:set, optixlite_fai_conn_cts; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1577; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26952; classtype:trojan-activity; sid:6067; rev:3;) # alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR satanz Backdoor runtime detection"; flow:to_client,established; content:"INIRemote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:6158; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BACKDOOR clindestine 1.0 icq notification of server installation"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"Host|3A|"; nocase; content:"wwp.mirabilis.com"; distance:0; nocase; content:"from="; nocase; content:"fromemail="; distance:0; nocase; content:"subject="; distance:0; nocase; content:"to=24962844"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*wwp\.mirabilis\.com.*from=[^\r\n]*fromemail=[^\r\n]*subject=[^\r\n]*to=24962844/smi"; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6135; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR netsphere v1.31.337 final runtime detection"; flow:to_client,established; content:""; depth:29; nocase; reference:url,www.megasecurity.org/trojans/n/netsphere/NetSphere1.31.337final.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31847; classtype:trojan-activity; sid:6162; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"DELETED BACKDOOR fkwp 2.0 runtime detection - conn success-cts"; flow:to_server,established; content:"AUTH"; depth:4; nocase; flowbits:set,fkwp_conn_suc_cts; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6032; rev:3;) # alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR gate crahser v1.2 runtime detection"; flow:to_client,established; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:6163; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trickler VX2/ABetterInternet transponder thinstaller runtime detection - download request 2"; flow:to_server,established; content:"/a/Aid.sen?StubName="; nocase; http_uri; reference:url,research.sunbelt-software.com/threat_display.cfm?name=ABetterInternet&threatid=14797; reference:url,www.doxdesk.com/parasite/Transponder.html; classtype:misc-activity; sid:5870; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trickler VX2/ABetterInternet transponder thinstaller runtime detection - download request 1"; flow:to_server,established; content:"/a/Drk.syn?bho="; nocase; http_uri; reference:url,research.sunbelt-software.com/threat_display.cfm?name=ABetterInternet&threatid=14797; reference:url,www.doxdesk.com/parasite/Transponder.html; classtype:misc-activity; sid:5869; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware deskwizz runtime detection - ad banner"; flow:to_server,established; content:"/GetAd/DolRevWrld"; nocase; http_uri; pcre:"/GetAd\x2FDolRevWrld(Top|Bottom)\x2Etxt/Ui"; content:"Host|3A|"; nocase; content:"deskwizz.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*deskwizz\x2Ecom/smi"; reference:url,www.spywareguide.com/product_show.php?id=1127; classtype:misc-activity; sid:6210; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker zeropopup runtime detection - button search"; flow:to_server,established; content:"/searchbar/search.php"; nocase; http_uri; content:"term="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.znext.com"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=627; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075510; classtype:misc-activity; sid:6393; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware bundleware ds3 runtime detection - initial connection"; flow:to_server,established; content:"/cgi-bin/InitV2"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.ad-w-a-r-e.com"; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Ead-w-a-r-e\x2Ecom/smi"; reference:url,www.nuker.com/container/details/bundleware.php; classtype:misc-activity; sid:6272; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware spoton runtime detection"; flow:to_server,established; content:"/js/jsnew2.php?"; nocase; http_uri; content:"grp="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ft_id="; nocase; http_uri; content:"c="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"k="; nocase; reference:url,www.spywareguide.com/product_show.php?id=505; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073158; classtype:misc-activity; sid:6235; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware bundleware ds3 runtime detection - pop-up retreival"; flow:to_server,established; content:"/cgi-bin/PopupV3"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.ad-w-a-r-e.com"; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Ead-w-a-r-e\x2Ecom/smi"; reference:url,www.nuker.com/container/details/bundleware.php; classtype:misc-activity; sid:6273; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker gigatech superbar runtime detection - hijack ie auto search"; flow:to_server,established; content:"/bin/findwhat.dll?getresults"; nocase; http_uri; content:"base="; nocase; content:"dc="; nocase; content:"aff_id="; nocase; content:"mt="; nocase; content:"ip_addr="; nocase; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6262; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware exact.bargainbuddy runtime detection - adp ads"; flow:to_server,established; content:"/exact/rotate/"; nocase; http_uri; content:"Host|3A|"; nocase; content:"offers.bullseye-network.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*offers\x2Ebullseye-network\x2Ecom/smi"; reference:url,www.spywareguide.com/product_show.php?id=463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068324; classtype:misc-activity; sid:6229; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware flashtrack media runtime detection - download .dll"; flow:to_server,established; content:"/upgradexmod.dll?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"g="; nocase; http_uri; content:"i="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3A|"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Daemon/smi"; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6369; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker navexcel runtime detection"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"w="; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:6277; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware flashtrack media runtime detection - download .exe"; flow:to_server,established; content:"/apps/ft30s.exe?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"g="; nocase; http_uri; content:"i="; nocase; http_uri; content:"User-Agent|3A|"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Daemon/smi"; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6370; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware mirar runtime detection - search"; flow:to_server,established; content:"/?KEYWORD="; nocase; http_uri; content:"T="; nocase; http_uri; content:"ERROR="; http_uri; content:"Host|3A|"; nocase; content:"websearch.getmirar.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*websearch\x2Egetmirar\x2Ecom/smi"; reference:url,www.spywareguide.com/product_show.php?id=637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; classtype:misc-activity; sid:6231; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT DXImageTransform.Microsoft.Light ActiveX function call access"; flow:established,to_client; content:"DXImageTransform.Microsoft.Light"; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.Light\x22|\x27DXImageTransform.Microsoft.Light\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.Light\x22|\x27DXImageTransform.Microsoft.Light\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:cve,2006-2383; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-021; classtype:attempted-user; sid:6519; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - tracking"; flow:to_server,established; content:"t.php"; nocase; http_uri; content:"sc_project="; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; pcre:"/u=[^\r\n]*www.wowokay.com/Ui"; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7131; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - search assissant hijacking"; flow:to_server,established; content:"/?s="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.weepee.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Eweepee\x2Ecom/smi"; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7134; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - advertising 1"; flow:to_server,established; content:"/mb/text_group.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"col="; nocase; http_uri; content:"br="; nocase; http_uri; content:"dk="; nocase; http_uri; content:"Referer|3A|"; nocase; content:"www.wowokay.com/wowokaybar.php"; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom/wowokaybar\x2Ephp/smi"; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7132; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - advertising 2"; flow:to_server,established; content:"/ea.exe"; nocase; http_uri; content:"sb"; nocase; http_uri; content:"joelesoftware"; nocase; http_uri; content:"01"; nocase; http_uri; content:"Referer|3A|"; nocase; content:"www.wowokay.com/wowokaybar.php"; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom/wowokaybar\x2Ephp/smi"; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7133; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - info request"; flow:to_client,established; flowbits:isset,DesktopDetective_InfoRequest; content:"|FE FE FE FE|90|00 00|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=349; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060318; classtype:successful-recon-limited; sid:7182; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"DELETED SPYWARE-PUT Keylogger ab system spy runtime detection - info update"; flow:to_server,established; flowbits:isset,ABSystemSpy_InfoUpdated; content:"chkCtr"; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7174; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"DELETED SPYWARE-PUT Keylogger ab system spy runtime detection - info update"; flow:to_server,established; flowbits:isset,ABSystemSpy_InfoUpdatec; content:"chkCap"; flowbits:set,ABSystemSpy_InfoUpdated; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7173; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - info request"; flow:to_server,established; content:"|FE FE FE FE 00 00 00 00|"; depth:8; flowbits:set,DesktopDetective_InfoRequest; flowbits:noalert; classtype:successful-recon-limited; sid:7181; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"DELETED SPYWARE-PUT Keylogger ab system spy runtime detection - info update"; flow:to_server,established; content:"chkLis"; depth:6; flowbits:set,ABSystemSpy_InfoUpdatea; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7170; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"DELETED SPYWARE-PUT Keylogger ab system spy runtime detection - info update"; flow:to_server,established; flowbits:isset,ABSystemSpy_InfoUpdateb; content:"chkCli"; flowbits:set,ABSystemSpy_InfoUpdatec; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7172; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"DELETED SPYWARE-PUT Keylogger ab system spy runtime detection - info update"; flow:to_server,established; flowbits:isset,ABSystemSpy_InfoUpdatea; content:"chkShe"; flowbits:set,ABSystemSpy_InfoUpdateb; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7171; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker funbuddyicons runtime detection - funwebproducts user-agent string"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"FunWebProducts"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*FunWebProducts/smi"; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5856; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker webcrawler runtime detection"; flow:to_server,established; content:"/info.wbcrwl.toolbar/tbar/plugin/"; nocase; http_uri; content:"User-Agent|3A|"; nocase; content:"Infospace"; distance:0; nocase; content:"Toolbar"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Infospace\s+Toolbar/smi"; reference:url,www.spywareguide.com/product_show.php?id=2134; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079952; classtype:misc-activity; sid:5912; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware hxdl runtime detection - crypt user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"CryptRetrieveObjectByUrl|3A 3A|InetSchemeProvider"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]+CryptRetrieveObjectByUrl\x3A\x3AInetSchemeProvider/smi"; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7555; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call unicode access"; flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|G|00|2|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12026; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX function call access"; flow:established,to_client; content:"rmocx.RealPlayer G2 Control"; pcre:"/(?P\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ParseWallClock\s*|.*(?P=v)\s*\.\s*ParseWallClock\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\)(\s*\.\s*ParseWallClock\s*|.*(?P=n)\s*\.\s*ParseWallClock\s*)\s*\(/smi"; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12025; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid unicode access"; flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|c|00|f|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12024; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Helix G2 Control ActiveX clsid access"; flow:established,to_client; content:"CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ParseWallClock)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(ParseWallClock))\s*\(/si"; reference:bugtraq,24658; reference:cve,2007-3410; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=547; classtype:attempted-user; sid:12023; rev:2;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:4;) # alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"DELETED VOIP-SIP Request Too Small"; dsize:<11; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:12008; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware adblaster 2.0 runtime detection"; flow:to_server,established; content:"/pagead/ads"; nocase; http_uri; content:"client="; nocase; http_uri; content:"dt="; nocase; http_uri; content:"lmt="; nocase; http_uri; content:"ad_type="; nocase; http_uri; content:"ga_vid="; nocase; http_uri; content:"ga_sid="; nocase; http_uri; content:"ga_hid="; nocase; http_uri; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453075129; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-051216-4630-99; classtype:misc-activity; sid:12488; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid unicode access"; flow:established,to_client; content:"6|00|E|00|5|00|E|00|1|00|6|00|7|00|B|00|-|00|1|00|5|00|6|00|6|00|-|00|4|00|3|00|1|00|6|00|-|00|B|00|2|00|7|00|F|00|-|00|0|00|D|00|D|00|A|00|B|00|3|00|4|00|8|00|4|00|C|00|F|00|7|00|"; nocase; pcre:"/1([^>]\x00)*1(?P\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:12777; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Aurigma Image Uploader ActiveX clsid access"; flow:established,to_client; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase; pcre:"/(]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GotoFolder|CanGotoFolder)|]*\s*classid\s*=\s*(?P\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P\x22|\x27|)(?P.+?)(?P=m2)(\s|>).*(?P=id2)\.(GotoFolder|CanGotoFolder))\s*\(/si"; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:12776; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call access"; flow:established,to_client; content:"Aurigma.ImageUploader"; pcre:"/(?P\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=v)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)|(?P\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=n)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)\s*\(/smi"; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:12778; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Aurigma Image Uploader ActiveX function call unicode access"; flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*1\(\x00(\s\x00)*(?P\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,26537; reference:url,blogs.aurigma.com/post/2007/11/Security-issue-in-Image-Uploader.aspx; classtype:attempted-user; sid:12779; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Internet Explorer malformed CSS memory corruption attempt"; flow:established,to_client; content:""; nocase; reference:bugtraq,25288; reference:cve,2007-0943; classtype:attempted-user; sid:13518; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"myway"; nocase; http_uri; pcre:"/\x2Fpagead\x2Fads\?[^\r\n]*client=[^\r\n]*myway/Ui"; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5804; rev:8;) # alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"DELETED BACKDOOR ykw v375 runtime detection"; flow:to_client,established; content:"|00 00 00 09|"; depth:4; reference:url,fool-workroom.com/qita/index.asp; classtype:trojan-activity; sid:11315; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - file management"; flow:to_client,established; flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8477; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware cashbar runtime detection - stats track 1"; flow:to_server,established; content:"/cgi-bin/afstrack.cgi?"; nocase; http_uri; content:"usr="; http_uri; content:"Host|3A|"; nocase; content:"www3.addfreestats.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www3\.addfreestats\.com/smi"; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5931; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker searchmiracle-elitebar runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"iebar"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*iebar/smi"; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:misc-activity; sid:5806; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Shell.Explorer ActiveX Object Access"; flow:to_client,established; content:"8856F961-340A-11D0-A96B-00C04FD705A2"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8856F961-340A-11D0-A96B-00C04FD705A2/si"; reference:bugtraq,11466; reference:cve,2005-0053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; classtype:attempted-user; sid:4166; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"DELETED SPYWARE-PUT Adware trustyfiles v2.4.0.4 runtime detection - startup access"; flow:to_server,established; content:"/index-tf.php"; nocase; http_uri; content:"Host|3A| trustyfiles com"; nocase; reference:url,www.www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:5877; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"DELETED SPYWARE-PUT Adware trustyfiles v2.4.0.4 runtime detection - configuration retrieval"; flow:to_server,established; content:"/sw/NetConfig24.dat"; nocase; http_uri; content:"Host|3A|TRUSTYFILES COM"; nocase; reference:url,www.www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:5878; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker incredifind runtime detection - autosearch"; flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"keywords="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/KeenValue.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077295; classtype:misc-activity; sid:6276; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"DELETED SPYWARE-PUT Adware trustyfiles v2.4.0.4 runtime detection - update notification"; flow:to_server,established; content:"/sw/promo/index.php"; nocase; http_uri; content:"Host|3A| trustyfiles com"; nocase; reference:url,www.www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:5879; rev:8;) # alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"DELETED SMTP Adobe PDF JBIG2 remote code execution attempt"; flow:to_client, established; content:"JBIG2Decode"; nocase; content:"stream|0D 0A|"; distance:0; byte_test:1, &, 64, 4, relative; byte_test:1, <, 160, 5, relative; byte_test:4, >, 35256, 6, relative,little; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15354; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt"; flow:to_client, established; content:"JBIG2Decode"; nocase; content:"stream|0D 0A|"; distance:0; byte_test:1, &, 64, 4, relative; byte_test:1, <, 160, 5, relative; byte_test:4, >, 35256, 6, relative,little; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:15355; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS b.js download - possible Asprox trojan attack"; flow:established,to_server; content:"/b.js"; nocase; http_uri; reference:url,blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514; classtype:trojan-activity; sid:13952; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory corruption attempt"; flow:to_client,established; content:"unescape"; pcre:"/\x3cp\x3e\s*\x3cfont\x3e\s*\x3c\x2ffont\x3e\s*\x3c\x2fp\x3e/i"; reference:bugtraq,35660; reference:cve,2009-2477; reference:url,www.kb.cert.org/vuls/id/443060; classtype:attempted-user; sid:15696; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"-100"; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP\x2F1\x2E[01]\s+\x2D100/sm"; reference:bugtraq,35812; reference:cve,2009-2621; reference:cve,2009-2622; classtype:denial-of-service; sid:16203; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED Snoopware xpress remote runtime detection - init connection"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|00 00 00|"; within:3; distance:1; flowbits:set,XpressRemote_detection; flowbits:noalert; classtype:successful-recon-limited; sid:13763; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR charon runtime detection - download log flowbit 2"; flow:to_server,established; flowbits:isset,backdoor.charon.download.log.1; content:"FREQ|7C|"; depth:5; nocase; pcre:"/^FREQ\|\d+/smi"; flowbits:set,backdoor.charon.download.log.2; flowbits:unset,backdoor.charon.download.1; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7062; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"DELETED BACKDOOR flux 1.0 runtime detection - initial connection - flowbit 3"; flow:to_server,established; flowbits:isset,flux10.2; content:"|08 00 00 00|"; depth:4; flowbits:set,flux10.3; flowbits:noalert; classtype:trojan-activity; sid:7612; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"DELETED SPYWARE-PUT Keylogger aspy v2.12 runtime detection"; flow:to_server,established; content:"This"; nocase; content:"is"; distance:0; nocase; content:"report"; distance:0; nocase; content:"of"; distance:0; nocase; content:"the"; distance:0; nocase; content:"program"; distance:0; nocase; content:"`aSpy`."; distance:0; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=aSpy&threatid=48392; reference:url,www.emsisoft.es/en/malware/?Adware.Win32.aSpy+Keylogger; classtype:successful-recon-limited; sid:16128; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads 1"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"iwon"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6217; rev:7;) # alert tcp $HOME_NET any -> 83.149.75.49 80 (msg:"DELETED SPECIFIC-THREATS Trojan.Duntek Data Report POST"; flow:established,to_server; content:"Host|3A|"; nocase; content:"83.149.75.49"; distance:0; content:"Cookie"; nocase; content:"dun_other"; distance:0; nocase; pcre:"/^Host\x3A\s+83\.149\.75\.49/smi"; pcre:"/^Cookie\x3A\s+[^\r\n]*dun_other\s*=\s*[^\r\n]+/smi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2; classtype:trojan-activity; sid:10402; rev:4;) # alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Eudora 250 command response buffer overflow attempt"; flow:established,to_client; content:"250"; pcre:"/^250[^\x90]*\x90{10,}/sm"; reference:cve,2007-2770; classtype:attempted-user; sid:11669; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime search detection - search request 2"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"oc="; nocase; http_uri; content:"kkcnt="; nocase; http_uri; content:"w="; nocase; http_uri; content:"Host|3A| rs.cometsystems.com"; nocase; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5833; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware exact.bargainbuddy runtime detection - bullseye network side search frame"; flow:to_server,established; content:"/cf/si.php?"; nocase; http_uri; content:"cn="; nocase; http_uri; content:"he="; nocase; http_uri; content:"xurl="; nocase; http_uri; content:"Host|3A| offers.bullseye-network.com"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068324; classtype:misc-activity; sid:6227; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime detection - update requests"; flow:to_server,established; content:"Host|3A| update.cc.cometsystems.com"; nocase; http_header; pcre:"/\x2F[^\s]*\.(dat|xml)\?[^\s]*v=[^\s]*t=[^\s]*c=/Ui"; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5831; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware exact.bargainbuddy runtime detection - ads - getsize request"; flow:to_server,established; content:"/cf/getsize.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"w="; nocase; http_uri; content:"User-Agent|3A| MyAgent"; nocase; content:"Host|3A| offers.bullseye-network.com"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068324; classtype:misc-activity; sid:6225; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPYWARE-PUT Adware exact.bargainbuddy runtime detection - disclaimer text"; flow:to_client,established; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime search detection - search request 1"; flow:to_server,established; content:"/dp/search?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"src_id="; nocase; http_uri; content:"it="; nocase; http_uri; content:"client_id="; nocase; http_uri; content:"version="; nocase; http_uri; content:"qry="; nocase; http_uri; content:"Host|3A| as.cometsystems.com"; nocase; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5832; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime detection - track activity"; flow:to_server,established; content:"/dss/cc.2_0_0."; nocase; content:"_u"; distance:0; nocase; content:"Host|3A|"; nocase; content:"log.cc.cometsystems.com"; distance:0; nocase; pcre:"/\x2Fdss\x2Fcc\.2_0_0\.(report)|(log)_u.*Host\x3A[^\r\n]*log\.cc\.cometsystems\.com/smi"; reference:url,www.spywareguide.com/product_show.php?id=428; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065; classtype:misc-activity; sid:5830; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware spyfalcon runtime detection - action report"; flow:to_server,established; content:"/adminsscript/softadmin.php"; fast_pattern; nocase; http_uri; content:"action="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; content:"asdbiz.biz"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*asdbiz\x2Ebiz/smi"; reference:url,castlecops.com/a6514-SpyFalcon_a_nightmare_rebranded.html; reference:url,webhelper4u.com/CWS2/cwslists/cwsbyip.txt; classtype:misc-activity; sid:6485; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware exact.bargainbuddy runtime detection - ads - request"; flow:to_server,established; content:"/cf/?t="; nocase; http_uri; content:"&s=outblaze"; nocase; http_uri; content:"&x=http|3A|/"; nocase; http_uri; content:"Host|3A| offers.bullseye-network.com"; fast_pattern; nocase; http_header; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453068324; reference:url,www.spywareguide.com/product_show.php?id=463; classtype:misc-activity; sid:6226; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Adware spyfalcon runtime detection - notification"; flow:to_server,established; content:"/ssoft/softadmin.php"; fast_pattern; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; content:"zopabora.info"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*zopabora\x2Einfo/smi"; reference:url,castlecops.com/a6514-SpyFalcon_a_nightmare_rebranded.html; reference:url,webhelper4u.com/CWS2/cwslists/cwsbyip.txt; classtype:misc-activity; sid:6486; rev:7;) # alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt - empty SMB 1"; flow:to_client,established; dsize:4; content:"|00 00 AA AA|"; depth:4; reference:cve,2009-3676; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; classtype:attempted-dos; sid:16453; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT IBM Access Support ActiveX GetXMLValue method buffer overflow attempt"; flow:to_client,established; content:".GetXMLValue"; fast_pattern; content:"String.fromCharCode"; pcre:"/String\x2EfromCharCode\s*\x28(?=[^\x29]*?0x\d+)[^\x29]*?\d{2}/"; reference:bugtraq,34228; reference:cve,2009-0215; classtype:attempted-user; sid:16750; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt"; flow:established,to_client; content:"Content|2D|Type|3A 20|message|2F|rfc822"; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17247; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt"; flow:established,to_client; content:"Content|2D|Type|3A 20|text|2F|html"; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17246; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt"; flow:established,to_client; content:"Content|2D|Type|3A 20|application|2F|bat"; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17248; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS Adobe RoboHelp r0 SQL injection attempt"; flow:stateless; content:"Help_Errors.asp"; nocase; pcre:"/\x26r0\x3d\d*[^\x26\s\d]/smi"; reference:cve,2008-2991; classtype:web-application-attack; sid:17779; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPYWARE-PUT Trackware casalemedia runtime detection"; flow:to_client,established; content:"Set-Cookie|3A| "; nocase; content:"Domain=casalemedia.com"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082755; classtype:successful-recon-limited; sid:5910; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST USER-AGENT known malicious user-agent string contype"; flow:to_server,established; content:"User-Agent|3A| contype|0D 0A|"; nocase; http_header; reference:url,labs.snort.org/docs/18372.html; classtype:trojan-activity; sid:18372; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trackware earthlink toolbar runtime detection - track activity"; flow:to_server,established; content:"/track?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"earthlink"; fast_pattern; nocase; http_uri; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7519; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trackware earthlink toolbar runtime detection - click news button links"; flow:to_server,established; content:"/article/"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"enews.earthlink.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*enews\x2Eearthlink\x2Enet/smiH"; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7523; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST USER-AGENT known malicious user-agent string FSD"; flow:to_server,established; content:"User-Agent|3A| FSD|0D 0A|"; nocase; http_header; reference:url,labs.snort.org/docs/18344.html; classtype:trojan-activity; sid:18344; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST USER-AGENT known malicious user-agent string Install Stub"; flow:to_server,established; content:"User-Agent|3A| Install Stub|0D 0A|"; nocase; http_header; reference:url,labs.snort.org/docs/18384.html; classtype:trojan-activity; sid:18384; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS Microsoft SPNEGO ASN.1 library heap corruption overflow attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate "; nocase; http_header; pcre:"/^Authorization\x3a\s*Negotiate\s*((YE4G.{40}LgMc)|(YIIQ.{40}QUFB))/smiH"; reference:bugtraq,9633; reference:cve,2003-0818; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:attempted-admin; sid:12905; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"DELETED SPECIFIC-THREATS netsky.af smtp propagation detection"; flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; reference:url,www.f-secure.com/v-descs/netsky-af.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF; classtype:trojan-activity; sid:9405; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED PHISHING-SPAM extoleye.ru known spam email attempt"; flow:to_server, established; content:"extoleye.ru"; nocase; classtype:policy-violation; sid:16986; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED PHISHING-SPAM pamperletter.ru known spam email attempt"; flow:to_server, established; content:"pamperletter.ru"; nocase; classtype:policy-violation; sid:17028; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED PHISHING-SPAM miltyrefil.ru known spam email attempt"; flow:to_server, established; content:"miltyrefil.ru"; nocase; classtype:policy-violation; sid:17019; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.tpydb.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|tpydb|03|com"; reference:cve,2010-3962; classtype:trojan-activity; sid:18126; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"DELETED SCADA RealWin SPC_TXTEVENT oversized packet buffer overflow"; flow:established,to_server; content:"|64 12 54 6A 10 00 00 00|"; depth:8; byte_test:4,>,1000,0,relative,little; reference:bugtraq,44150; reference:cve,2010-4142; classtype:attempted-admin; sid:18290; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"DELETED SCADA RealWin SPC_INITIALIZE oversized packet buffer overflow"; flow:established,to_server; content:"|64 12 54 6A 02 00 00 00|"; depth:8; byte_test:4,>,1000,0,relative,little; reference:bugtraq,44150; reference:cve,2010-4142; classtype:attempted-admin; sid:18288; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"DELETED SCADA RealWin SPC_INITIALIZE_RF oversized packet buffer overflow"; flow:established,to_server; content:"|64 12 54 6A 20 00 00 00|"; depth:8; byte_test:4,>,1000,0,relative,little; reference:bugtraq,44150; reference:cve,2010-4142; classtype:attempted-admin; sid:18289; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST USER-AGENT known malicious user-agent string NSIS_Inetc"; flow:to_server,established; content:"User-Agent|3A| NSIS_Inetc"; nocase; http_header; reference:url,labs.snort.org/docs/18339.html; classtype:trojan-activity; sid:18339; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST URI request for known malicious URI - /?epl="; flow:established,to_server; content:"/?epl="; depth:6; nocase; http_uri; pcre:"/^\/\?epl=[A-Z\d_\-]{100}/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=418455fabee119eb458fac6e7a41b946843e5bdccf30b77b4f605af8911eb54c-1311847337; classtype:trojan-activity; sid:19630; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST URI request for known malicious URI - .ippi?g="; flow:established,to_server; content:".ippi?g="; nocase; http_uri; pcre:"/[A-Z\d]{8}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{12}\.ippi\?g=[A-Z\d]{8}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{12}/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=3b8d896625264371167fbe5b18b4fabf2a99cc4dc4bd655609d92991f1bd515a-1311744750; classtype:trojan-activity; sid:19629; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 110.770304123.cn"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|110|09|770304123|02|cn"; reference:url,labs.snort.org/docs/17865.html; classtype:trojan-activity; sid:17865; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain px.smowtion.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|px|08|smowtion|03|com"; reference:url,labs.snort.org/docs/17825.html; classtype:trojan-activity; sid:17825; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 122.770304123.cn"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|122|09|770304123|02|cn"; reference:url,labs.snort.org/docs/17862.html; classtype:trojan-activity; sid:17862; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST URI request for known malicious URI - GoogleListener.aspx"; flow:established,to_server; content:"/GoogleListener.aspx?rt=afd&pt="; nocase; http_uri; content:"rid="; nocase; http_uri; pcre:"/\/GoogleListener.aspx\?rt=afd\x26pt=\d\x26rid=[A-Z\d\-]+\x26dn=/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=4830ea7b677d2a5310f65b5b95d8da3312d775b574112f675fe583ad0527cd7e-1311854792; classtype:trojan-activity; sid:19624; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST URI request for known malicious URI - /a.gif?V="; flow:established,to_server; content:"/a.gif?V="; nocase; http_uri; content:"cpu|3A|"; nocase; http_uri; content:!"Host|3A| beacon.sina.com.cn"; nocase; pcre:"/\/a\.gif\?V=\d[^\r\n]+\x7Ccpu\x3A(x86|x64)\x7Cpf\x3AWin/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=665b28200701f9c23af1d8c649ea7d42d07009db45f8c8aff5730b0f521b7f12-1309580343; classtype:trojan-activity; sid:19634; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; content:"|05 00 00 00 88 88 88 88 09 00 00 00|"; depth:12; offset:52; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18314; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS Apache Tomcat JK Web Server Connector long URL stack overflow attempt - 2"; flow:to_server,established; urilen:>1440; content:"GET /"; depth:5; pcre:"/^\x2F[a-z0-9]{16}[^a-z0-9\x2F\x3F\x26]/iU"; reference:bugtraq,22791; reference:cve,2007-0774; classtype:attempted-admin; sid:17108; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS Apache Tomcat JK Web Server Connector long URL stack overflow attempt"; flow:to_server,established; urilen:>1024; content:"|90 90 90 90 90 90 90 90 90 90 90|"; http_uri; reference:bugtraq,22791; reference:cve,2007-0774; classtype:attempted-admin; sid:18287; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 38292 (msg:"DELETED WEB-MISC Symantec Alert Management System pin number buffer overflow attempt"; flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"PAGE"; depth:4; offset:30; content:"PinNumber|00|"; distance:0; byte_test:2,>,256,0,relative,little; reference:cve,2010-0110; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00; classtype:attempted-user; sid:19891; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itms|3A 2F 2F|"; fast_pattern; nocase; content:"|3A|"; within:50; isdataat:256,relative; content:!"|2F|"; within:256; reference:cve,2009-0950; classtype:attempted-user; sid:20163; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itmss|3A 2F 2F|"; fast_pattern; nocase; content:"|3A|"; within:50; isdataat:256,relative; content:!"|2F|"; within:256; reference:cve,2009-0950; classtype:attempted-user; sid:20166; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"pcast|3A 2F 2F|"; fast_pattern; nocase; content:"|3A|"; within:50; isdataat:256,relative; content:!"|2F|"; within:256; reference:cve,2009-0950; classtype:attempted-user; sid:20164; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"daap|3A 2F 2F|"; fast_pattern; nocase; content:"|3A|"; within:50; isdataat:256,relative; content:!"|2F|"; within:256; reference:cve,2009-0950; classtype:attempted-user; sid:20167; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|B6 84 05 8D 81 80 08 FF E3 A1 87 05 EA 88 A8 83 05 DE 8B B6 04 EA 80 80 08 D6 8B B6 04 99 D0 81 D0 06 EA 80 08 EA 80 A8 03 81 8A B6 04 D0 80 80|"; fast_pattern:only; reference:cve,2011-1353; reference:url,www.adobe.com/support/security/bulletins/apsb11-24.html; classtype:attempted-user; sid:20161; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT Apple iTunes protocol handler stack buffer overflow attempt"; flow:to_client,established; file_data; content:"itpc|3A 2F 2F|"; fast_pattern; nocase; content:"|3A|"; within:50; isdataat:256,relative; content:!"|2F|"; within:256; reference:cve,2009-0950; classtype:attempted-user; sid:20165; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid unicode access "; flow:established,to_client; content:"0|00|E|00|C|00|D|00|9|00|B|00|6|00|4|00|-|00|2|00|3|00|A|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|3|00|5|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|5|00|D|00|8|00|E|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00E\x00C\x00D\x009\x00B\x006\x004\x00-\x002\x003\x00A\x00A\x00-\x001\x001\x00D\x000\x00-\x00B\x003\x005\x001\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x005\x00D\x008\x00E\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15101; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call unicode access "; flow:established,to_client; content:"M|00|S|00|D|00|a|00|t|00|a|00|G|00|r|00|i|00|d|00|L|00|i|00|b|00|.|00|D|00|a|00|t|00|a|00|G|00|r|00|i|00|d|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00D\x00a\x00t\x00a\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q35)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00D\x00a\x00t\x00a\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q36)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15095; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call unicode access "; flow:established,to_client; content:"M|00|s|00|R|00|D|00|P|00|.|00|M|00|s|00|R|00|D|00|P|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00s\x00R\x00D\x00P\x00.\x00M\x00s\x00R\x00D\x00P\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00s\x00R\x00D\x00P\x00.\x00M\x00s\x00R\x00D\x00P\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15864; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call unicode access "; flow:established,to_client; content:"M|00|S|00|C|00|h|00|a|00|r|00|t|00|2|00|0|00|L|00|i|00|b|00|.|00|M|00|S|00|C|00|h|00|a|00|r|00|t|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00C\x00h\x00a\x00r\x00t\x002\x000\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00h\x00a\x00r\x00t\x00(\.\x00\d\x00)?(?P=q45)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00C\x00h\x00a\x00r\x00t\x002\x000\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00h\x00a\x00r\x00t\x00(\.\x00\d\x00)?(?P=q46)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15091; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid unicode access "; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|4|00|1|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x004\x001\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15686; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid unicode access "; flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|9|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x009\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15690; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access "; flow:established,to_client; content:"A|00|c|00|r|00|o|00|P|00|D|00|F|00|.|00|P|00|D|00|F|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2009-2987; classtype:attempted-user; sid:16389; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid unicode access "; flow:established,to_client; content:"B|00|0|00|9|00|D|00|E|00|7|00|1|00|5|00|-|00|8|00|7|00|C|00|1|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|B|00|E|00|3|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|4|00|D|00|A|00|1|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x009\x00D\x00E\x007\x001\x005\x00-\x008\x007\x00C\x001\x00-\x001\x001\x00D\x001\x00-\x008\x00B\x00E\x003\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x004\x00D\x00A\x001\x00(}\x00)?(?P=q39)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15085; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call unicode access "; flow:established,to_client; content:"M|00|S|00|H|00|i|00|e|00|r|00|a|00|r|00|c|00|h|00|i|00|c|00|a|00|l|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|L|00|i|00|b|00|.|00|M|00|S|00|H|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00H\x00i\x00e\x00r\x00a\x00r\x00c\x00h\x00i\x00c\x00a\x00l\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00M\x00S\x00H\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q25)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00H\x00i\x00e\x00r\x00a\x00r\x00c\x00h\x00i\x00c\x00a\x00l\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00M\x00S\x00H\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q26)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4254; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15103; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call unicode access "; flow:established,to_client; content:"O|00|W|00|C|00|1|00|1|00|.|00|S|00|p|00|r|00|e|00|a|00|d|00|s|00|h|00|e|00|e|00|t|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2009-1136; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15692; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Shell.Explorer 2 ActiveX function call unicode access "; flow:established,to_client; content:"S|00|h|00|e|00|l|00|l|00|.|00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)S\x00h\x00e\x00l\x00l\x00.\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00(\.\x00\d\x00)?(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)S\x00h\x00e\x00l\x00l\x00.\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00(\.\x00\d\x00)?(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15113; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call unicode access "; flow:established,to_client; content:"M|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|L|00|i|00|b|00|.|00|M|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)M\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00M\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q30)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)M\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00i\x00b\x00.\x00M\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00(\.\x00\d\x00)?(?P=q31)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15099; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access "; flow:established,to_client; content:"E|00|2|00|8|00|8|00|3|00|E|00|8|00|F|00|-|00|4|00|7|00|2|00|F|00|-|00|4|00|f|00|b|00|0|00|-|00|9|00|5|00|2|00|2|00|-|00|A|00|C|00|9|00|B|00|F|00|3|00|7|00|9|00|1|00|6|00|A|00|7|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x002\x008\x008\x003\x00E\x008\x00F\x00-\x004\x007\x002\x00F\x00-\x004\x00f\x00b\x000\x00-\x009\x005\x002\x002\x00-\x00A\x00C\x009\x00B\x00F\x003\x007\x009\x001\x006\x00A\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; content:"<|00|P|00|A|00|R|00|A|00|M|00|"; nocase; pcre:"/<\x00P\x00A\x00\R\x00A\x00M([^>]\x00)*n\x00a\x00m\x00e\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)(\s\x00)*(S\x00e\x00r\x00v\x00i\x00c\x00e\x00-\x00U\x00r\x00l\x00|I\x00t\x00e\x00m\x00I\x00D\x00|L\x00a\x00n\x00g\x00u\x00a\x00g\x00e\x00)(\s\x00)*(?P=q3)(?=\s\x00|>\x00)/siO"; reference:bugtraq,37759; reference:cve,2009-3958; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; classtype:attempted-user; sid:16372; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid unicode access "; flow:established,to_client; content:"3|00|A|00|2|00|B|00|3|00|7|00|0|00|C|00|-|00|B|00|A|00|0|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|1|00|3|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|3|00|F|00|5|00|D|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00A\x002\x00B\x003\x007\x000\x00C\x00-\x00B\x00A\x000\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x001\x003\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x003\x00F\x005\x00D\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4256; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15089; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid unicode access "; flow:established,to_client; content:"4|00|E|00|B|00|8|00|9|00|F|00|F|00|4|00|-|00|7|00|F|00|7|00|8|00|-|00|4|00|A|00|0|00|F|00|-|00|8|00|B|00|8|00|D|00|-|00|2|00|B|00|F|00|0|00|2|00|E|00|9|00|4|00|E|00|4|00|B|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00E\x00B\x008\x009\x00F\x00F\x004\x00-\x007\x00F\x007\x008\x00-\x004\x00A\x000\x00F\x00-\x008\x00B\x008\x00D\x00-\x002\x00B\x00F\x000\x002\x00E\x009\x004\x00E\x004\x00B\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:cve,2009-1929; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-044; classtype:attempted-user; sid:15862; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid unicode access "; flow:established,to_client; content:"E|00|A|00|B|00|2|00|2|00|A|00|C|00|3|00|-|00|3|00|0|00|C|00|1|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|7|00|E|00|B|00|-|00|0|00|0|00|0|00|0|00|C|00|0|00|5|00|B|00|A|00|E|00|0|00|B|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00A\x00B\x002\x002\x00A\x00C\x003\x00-\x003\x000\x00C\x001\x00-\x001\x001\x00C\x00F\x00-\x00A\x007\x00E\x00B\x00-\x000\x000\x000\x000\x00C\x000\x005\x00B\x00A\x00E\x000\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15110; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid unicode access "; flow:established,to_client; content:"C|00|D|00|E|00|5|00|7|00|A|00|4|00|3|00|-|00|8|00|B|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|3|00|C|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|A|00|E|00|A|00|8|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00D\x00E\x005\x007\x00A\x004\x003\x00-\x008\x00B\x008\x006\x00-\x001\x001\x00D\x000\x00-\x00B\x003\x00C\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00A\x00E\x00A\x008\x002\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4252; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15093; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access "; flow:established,to_client; content:"C|00|A|00|8|00|A|00|9|00|7|00|8|00|0|00|-|00|2|00|8|00|0|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|2|00|4|00|D|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x008\x00A\x009\x007\x008\x000\x00-\x002\x008\x000\x00D\x00-\x001\x001\x00C\x00F\x00-\x00A\x002\x004\x00D\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x000\x000\x000\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; reference:cve,2009-2987; classtype:attempted-user; sid:16387; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call unicode access "; flow:established,to_client; content:"O|00|W|00|C|00|1|00|0|00|.|00|S|00|p|00|r|00|e|00|a|00|d|00|s|00|h|00|e|00|e|00|t|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2009-2496; reference:url,support.microsoft.com/kb/973472; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-043; classtype:attempted-user; sid:15688; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid unicode access "; flow:established,to_client; content:"8|00|8|00|5|00|6|00|F|00|9|00|6|00|1|00|-|00|3|00|4|00|0|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|9|00|6|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|5|00|A|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x008\x005\x006\x00F\x009\x006\x001\x00-\x003\x004\x000\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x009\x006\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x007\x000\x005\x00A\x002\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; reference:bugtraq,11466; reference:cve,2005-0053; reference:cve,2008-4258; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-038; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-014; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-073; classtype:attempted-user; sid:15111; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid unicode access "; flow:established,to_client; content:"6|00|2|00|6|00|2|00|D|00|3|00|A|00|0|00|-|00|5|00|3|00|1|00|B|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|1|00|F|00|6|00|-|00|C|00|2|00|8|00|6|00|3|00|C|00|3|00|8|00|5|00|E|00|3|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x002\x006\x002\x00D\x003\x00A\x000\x00-\x005\x003\x001\x00B\x00-\x001\x001\x00C\x00F\x00-\x009\x001\x00F\x006\x00-\x00C\x002\x008\x006\x003\x00C\x003\x008\x005\x00E\x003\x000\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; reference:cve,2008-4253; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15097; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call unicode access "; flow:established,to_client; content:"m|00|s|00|c|00|o|00|m|00|c|00|t|00|l|00|2|00|.|00|a|00|n|00|i|00|m|00|a|00|t|00|i|00|o|00|n|00|"; nocase; pcre:"/(?P\w+)(\s\x00)*=(\s\x00)*(?P\x22|\x27|)m\x00s\x00c\x00o\x00m\x00c\x00t\x00l\x002\x00.\x00a\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q40)(\s|>)(\s\x00)*\x3b\x00.*(?P(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P\x22|\x27|)m\x00s\x00c\x00o\x00m\x00c\x00t\x00l\x002\x00.\x00a\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q41)(\s|>)(\s\x00)*\)\x00/smiO"; reference:cve,2008-4255; reference:url,support.microsoft.com/kb/960715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-070; classtype:attempted-user; sid:15087; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT MultiMedia Jukebox playlist file handling heap overflow attempt"; flow:to_client,established; flowbits:isset,file.m3u; content:"http|3A 2F 2F|"; isdataat:262,relative; content:!"|0D|"; within:262; reference:cve,2009-2650; classtype:attempted-user; sid:20236; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP from header field buffer overflow attempt"; content:"From|3A|"; fast_pattern:only; nocase; pcre:"/^From\x3A\s+[^\r\n]{256}/smi"; reference:url,www.cert.org/advisories/CA-2003-06.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-user; sid:11978; rev:6;) # alert udp $EXTERNAL_NET 5060 -> $HOME_NET any (msg:"DELETED VOIP-SIP response code not three digits"; content:"SIP/2.0 "; depth:8; nocase; pcre:"/^SIP\/2\.0\s+(?!\d{3})/smi"; reference:bugtraq,23093; reference:cve,2007-1594; classtype:attempted-admin; sid:12072; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP response too small"; dsize:<11; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:misc-activity; sid:11974; rev:4;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP OPTIONS request missing RFC-mandated Via field"; content:"OPTIONS"; depth:7; nocase; content:!"Via|3A|"; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13587; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP OPTIONS request missing RFC-mandated Call-ID field"; content:"OPTIONS"; depth:7; nocase; content:!"Call-ID|3A|"; nocase; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13588; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP TCP REGISTER flood"; flow:to_server,established; content:"REGISTER"; depth:8; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^REGISTER\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; detection_filter:track by_src, count 100, seconds 25; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19390; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY flac file magic detection"; flow:to_client,established; file_data; content:"|66 4C 61 43|"; depth:4; flowbits:set,http.flac; flowbits:noalert; classtype:misc-activity; sid:20506; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY rmf file magic detection"; flow:to_client,established; file_data; content:"|2E 52 4D 46|"; depth:4; flowbits:set,file.rmf; flowbits:noalert; classtype:misc-activity; sid:20517; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|jsshmz|07|gotoip4|03|com"; classtype:trojan-activity; sid:18085; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wenyixuan.3322.org"; flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|wenyixuan|04|3322|03|org"; classtype:trojan-activity; sid:18088; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wenyixuan.3322.org."; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wenyixuan|04|3322|03|org"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18112; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY PNG file magic detection"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; flowbits:set,file.png; flowbits:noalert; classtype:misc-activity; sid:6688; rev:11;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Microsoft Office Excel BIFF v5 file magic detection"; flow:to_client,established; file_data; content:"|09 08 08 00 00 05 05 00|"; depth:8; flowbits:set,file.xls.biff5; flowbits:noalert; classtype:misc-activity; sid:18810; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY RAR file magic detection"; flow:to_client,established; file_data; content:"|52 61 72 20|"; depth:4; flowbits:set,file.rar; flowbits:noalert; classtype:misc-activity; sid:20473; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY shockwave file magic detection"; flow:to_client,established; file_data; content:"|52 49 46 58|"; depth:4; flowbits:set,file.swf; flowbits:noalert; classtype:misc-activity; sid:20508; rev:6;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY WAV file magic detection"; flow:to_client,established; file_data; content:"|57 41 56 45|"; depth:4; flowbits:set,file.wav; flowbits:noalert; classtype:misc-activity; sid:20510; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|45 78 69 66|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; classtype:misc-activity; sid:20482; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY WAV file magic detection"; flow:to_client,established; file_data; content:"|41 56 49 20|"; depth:4; flowbits:set,file.wav; flowbits:noalert; classtype:misc-activity; sid:20509; rev:7;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY bmp file magic detection"; flow:to_client,established; file_data; content:"BM"; depth:2; flowbits:set,file.bmp; flowbits:noalert; classtype:misc-activity; sid:20457; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SPECIFIC-THREATS Apache Tomcat Java AJP connector invalid header timeout denial of service attempt"; flow:established,to_server; content:"localhost:x"; nocase; http_header; reference:bugtraq,35193; reference:cve,2009-0033; classtype:attempted-dos; sid:20613; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain coop.crwdcntrl.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|coop|09|crwdcntrl|03|net"; fast_pattern:only; reference:url,labs.snort.org/docs/17841.html; classtype:trojan-activity; sid:17841; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Microsoft Office Excel file download request"; flow:to_server,established; content:".xls"; nocase; http_uri; pcre:"/\x2exls([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xls; flowbits:noalert; classtype:misc-activity; sid:20791; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Adobe Shockwave Flash file download request"; flow:to_server,established; content:".swf"; nocase; http_uri; pcre:"/\x2eswf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.swf; flowbits:noalert; classtype:misc-activity; sid:20797; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".doc"; nocase; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:noalert; classtype:misc-activity; sid:20794; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC Trojan Win32.Sasfis outbound connection"; flow:to_server,established; content:"stat.htm?id="; http_uri; content:"ntime="; distance:0; http_uri; content:"repeatip="; distance:0; http_uri; content:"cnzz_eid="; distance:0; http_uri; content:"showp="; distance:0; http_uri; reference:url,www.virustotal.com/file-scan/report.html?id=54bfb6b8f946ec8ac6dcd67273620ac3e92190f35435803c70ce3b9b179f18ea-1316549483; classtype:trojan-activity; sid:20760; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC Win32.Kazy variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|"; nocase; http_header; content:"User-Agent|3A 20|"; distance:0; nocase; http_header; pcre:"/^User-Agent\x3a\x20[^\r\n]*User-Agent/smiH"; reference:url,www.virustotal.com/file-scan/report.html?id=fdbe8f44cc6e62fd3fadf5f169bd0a67ff95823d93df322eb95410aeda5a6d9d-1313625463; classtype:trojan-activity; sid:20757; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain bn.xp1.ru4.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|bn|03|xp1|03|ru4|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17888.html; classtype:trojan-activity; sid:17888; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ktr.t134.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ktr|04|t134|03|net"; fast_pattern:only; reference:url,labs.snort.org/docs/17818.html; classtype:trojan-activity; sid:17818; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC Trojan Win32.Murofet.A outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"|2F|forum|2F|"; fast_pattern; nocase; http_uri; content:!"|0D 0A|Referer|3A|"; nocase; http_header; pcre:"/\x2Fforum\x2F$/Ui"; pcre:"/^Host\x3A\x20[a-z]{10,16}\x2E(net|info|org|com|biz)/Rm"; reference:url,www.virustotal.com/file-scan/report.html?id=a3203f202e04fdaab5c51f8b99d3750e64b4911c7cc62114d69ac2264aa18d02-1286757825; classtype:trojan-activity; sid:19051; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xoomer.virgilio.it - Backdoor.Win32.Clar.d"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|xoomer|08|virgilio|02|it"; fast_pattern:only; reference:url,labs.snort.org/docs/16905.html; classtype:trojan-activity; sid:16905; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"DELETED SCADA Modbus invalid protocol version"; flow:established,to_server; byte_test:2,>,0,2; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15072; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"DELETED SCADA Modbus oversized payload"; flow:established,to_server; byte_test:2,>,256,4; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15073; rev:4;) # alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"DELETED SCADA DNP3 reserved destination address"; flow:established,to_client; content:"|05|d"; depth:2; byte_test:2,>,65519,4,little; byte_test:2,<,65532,4,little; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15721; rev:4;) # alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"DELETED SCADA DNP3 reserved source address"; flow:established,to_client; content:"|05|d"; depth:2; byte_test:2,>,65519,6,little; byte_test:2,<,65532,6,little; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15720; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BOTNET-CNC Trojan Win32 SensLiceld.A runtime traffic detected"; flow:to_client,established; content:"|5B 00|S|00|E|00|R|00|V|00|E|00|R|00 5D 00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|00 20 00|t|00|o|00 20 00|"; depth:44; nocase; reference:url,www.virustotal.com/latest-report.html?resource=53ba6845f57f8e9ef600ef166be3be14; classtype:trojan-activity; sid:20065; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain h1.ripway.com - Trojan.Win32.Refroso.bcdq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|h1|06|ripway|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/16889.html; classtype:trojan-activity; sid:16889; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.dsnextgen.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|dsnextgen|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17833.html; classtype:trojan-activity; sid:17833; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.myroitracking.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|myroitracking|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17823.html; classtype:trojan-activity; sid:17823; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain px.mgplatform.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|px|0A|mgplatform|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17869.html; classtype:trojan-activity; sid:17869; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain utm.trk.myfuncards.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|utm|03|trk|0A|myfuncards|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17867.html; classtype:trojan-activity; sid:17867; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain members.multimania.co.uk - Trojan.Win32.Inject.ahqv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|members|0A|multimania|02|co|02|uk"; fast_pattern:only; reference:url,labs.snort.org/docs/16866.html; classtype:trojan-activity; sid:16866; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain c7.zxxds.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|c7|05|zxxds|03|net"; fast_pattern:only; reference:url,labs.snort.org/docs/17829.html; classtype:trojan-activity; sid:17829; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"DELETED SPECIFIC-THREATS ASN.1 constructed bit string"; flow:to_server,established; content:"Authorization|3A| Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUF"; http_header; reference:cve,2005-1935; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; classtype:attempted-admin; sid:12709; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Microsoft Office Excel MergeCells record parsing code execution attempt"; flow:to_client, established; flowbits:isset,file.xls; file_data; content:"|00 02 00 01 00 0C 00 02 00 64 00 0F 00 02 00 01 00 11 00 02|"; reference:bugtraq,43652; reference:cve,2010-3237; classtype:attempted-admin; sid:20130; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Microsoft Internet Explorer 6/7 CSS swapNode memory corruption attempt"; flow:to_client,established; file_data; content:"redhat|2E|insertAdjacentText|28 22|beforeEnd|22 2C 22|tESTNice|22 29 3B|"; content:"redhat|2E|swapNode|28|redhat|29 3B|"; reference:cve,2011-0094; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-018; classtype:attempted-user; sid:18646; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT PeaZip command injection attempt"; flow:established,to_client; flowbits:isset,file.zip; content:"README.TXT"; nocase; pcre:"/^\s*\x22?\s+\x22\s*\x7C[^\x7C]+\x7C\s*\.txt/R"; reference:cve,2009-2261; reference:url,osvdb.org/54966; classtype:attempted-user; sid:21409; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED WEB-MISC paq8o file request"; flow:to_server,established; content:"|2E|paq8o"; nocase; http_uri; pcre:"/\x2Epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; classtype:misc-activity; sid:21408; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain in.chinaitlm.cn - Trojan.VBS.HideIcon.d"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|in|09|chinaitlm|02|cn"; fast_pattern:only; reference:url,labs.snort.org/docs/16848.html; classtype:trojan-activity; sid:16848; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain eq.pccppc.com - Trojan-Downloader.Win32.Pher.fkl"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|eq|06|pccppc|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/16894.html; classtype:trojan-activity; sid:16894; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain xoomer.alice.it - Trojan-Downloader.Win32.Banload.kdu"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|xoomer|05|alice|02|it"; fast_pattern:only; reference:url,labs.snort.org/docs/16904.html; classtype:trojan-activity; sid:16904; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain site.mynet.com - Trojan.Win32.Buzus.dxsr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|site|05|mynet|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/16857.html; classtype:trojan-activity; sid:16857; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain downloadering.9966.org - Trojan.Win32.Vilsel.adxv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|downloadering|04|9966|03|org"; fast_pattern:only; reference:url,labs.snort.org/docs/16899.html; classtype:trojan-activity; sid:16899; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain d.trymedia.com - Trojan-Dropper.Win32.Delf.fkk"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|d|08|trymedia|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/16886.html; classtype:trojan-activity; sid:16886; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain sympathy.hdnews.net - Trojan-Spy.Win32.Zbot.gen"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|sympathy|06|hdnews|03|net"; fast_pattern:only; reference:url,labs.snort.org/docs/16897.html; classtype:trojan-activity; sid:16897; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dnfuu.3322.org - Trojan-Downloader.Win32.Genome.asrx"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dnfuu|04|3322|03|org"; fast_pattern:only; reference:url,labs.snort.org/docs/16880.html; classtype:trojan-activity; sid:16880; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain down.toopc.com - Trojan-Dropper.Win32.Clons.hai"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|down|05|toopc|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/16867.html; classtype:trojan-activity; sid:16867; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain a.qq2233.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|a|06|qq2233|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17868.html; classtype:trojan-activity; sid:17868; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain zq2.9wee.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|zq2|04|9wee|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17861.html; classtype:trojan-activity; sid:17861; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain myanimalclips.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|myanimalclips|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17820.html; classtype:trojan-activity; sid:17820; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 447.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|447|02|cc"; fast_pattern:only; reference:url,labs.snort.org/docs/17852.html; classtype:trojan-activity; sid:17852; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain animal36.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|animal36|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17877.html; classtype:trojan-activity; sid:17877; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain clickpotato.tv"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|clickpotato|02|tv"; fast_pattern:only; reference:url,labs.snort.org/docs/17892.html; classtype:trojan-activity; sid:17892; rev:6;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain play.unionsky.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|play|08|unionsky|02|cn"; fast_pattern:only; reference:url,labs.snort.org/docs/17848.html; classtype:trojan-activity; sid:17848; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain img100.xvideos.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|img100|07|xvideos|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17832.html; classtype:trojan-activity; sid:17832; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain ics.hotbar.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ics|06|hotbar|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17822.html; classtype:trojan-activity; sid:17822; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.027dj.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|027dj|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17880.html; classtype:trojan-activity; sid:17880; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 114search1.118114.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|114search1|06|118114|02|cn"; fast_pattern:only; reference:url,labs.snort.org/docs/17890.html; classtype:trojan-activity; sid:17890; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 113552url.cptgt.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|113552url|05|cptgt|03|com"; fast_pattern:only; reference:url,labs.snort.org/docs/17896.html; classtype:trojan-activity; sid:17896; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wenyixuan.3322.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wenyixuan|04|3322|03|org"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18081; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain drs317a.gotoip4.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|drs317a|07|gotoip4|03|com"; fast_pattern:only; classtype:trojan-activity; sid:18084; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain netrand.house.sina.com.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|netrand|05|house|04|sina|03|com|02|cn"; fast_pattern:only; classtype:trojan-activity; sid:18080; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jsshmz|07|gotoip4|03|com"; fast_pattern:only; classtype:trojan-activity; sid:18079; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tiantianzaixian.gotoip1.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|tiantianzaixian|07|gotoip1|03|com"; fast_pattern:only; classtype:trojan-activity; sid:18087; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain v.9y9c.co.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|v|04|9y9c|02|co|02|cc"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18111; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tiantianzaixian.gotoip1.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|tiantianzaixian|07|gotoip1|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18110; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jsshmz|07|gotoip4|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18107; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.ybtour.co.kr"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|06|ybtour|02|co|02|kr"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18131; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain baidutaobao.gotoip55.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|baidutaobao|08|gotoip55|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18105; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain talk.cetizen.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|talk|07|cetizen|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18109; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain wusheng03.3322.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|wusheng03|04|3322|03|org"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18113; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain dfgdd.9y6c.co.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dfgdd|04|9y6c|02|co|02|cc"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18166; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.maoyiren.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|maoyiren|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18153; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain mailzou.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mailzou|03|com"; fast_pattern:only; reference:cve,2010-3962; classtype:trojan-activity; sid:18183; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain 35free.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|35free|03|net"; fast_pattern:only; classtype:trojan-activity; sid:18268; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain move.su"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|move|02|su"; fast_pattern:only; classtype:trojan-activity; sid:18271; rev:5;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.registry.cu.cc"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|registry|02|cu|02|cc"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=ae15dde45c435d246860bc88dbc355ed822b41b25cf90a7218ee2b421e5ab918-1311852771; classtype:trojan-activity; sid:19641; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain www.qqaz.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|04|qqaz|04|info"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=7d0b19f3827e7a13ab78f40075454538123598a818e7f1e65da0962f89834767-1309589022; classtype:trojan-activity; sid:19642; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qfsl.co.cc - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|qfsl|02|co|02|cc"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19880; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jifr.co.cc - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jifr|02|co|02|cc|00|"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19877; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain jifr.co.be - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|jifr|02|co|02|be"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19878; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain qfsl.co.be - Win32/Morto.A"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|qfsl|02|co|02|be"; fast_pattern:only; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19881; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain tarmu.narod.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tarmu|05|narod|02|ru"; fast_pattern:only; reference:url,www.virustotal.com/file-scan/report.html?id=b1e52289977e72ef905e07cbec8a7fbb72706fd2450aadb90acaf5377c0be8ef-1317048445; classtype:trojan-activity; sid:20203; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"DELETED BLACKLIST DNS request for known malware domain kasperskychk.dyndns.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|kasperskychk|06|dyndns|03|org"; fast_pattern:only; reference:url,www.virustotal.com/latest-report.html?resource=3d83b077d32c422d6c7016b5083b9fc2; classtype:trojan-activity; sid:20526; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Microsoft Windows embedded packager object with .application extension bypass attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"|10 AC 4F E4 26 6E 7B 91 52 E9 E6 CA 8A F4 61 18 CB AB 3C 25 09 CC 8D B9|"; reference:cve,2012-0013; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-005; classtype:attempted-user; sid:20881; rev:5;) # alert tcp $EXTERNAL_NET 20000 -> $HOME_NET any (msg:"DELETED SCADA DNP3 declared length too small"; flow:established,to_client; content:"|05|d"; depth:2; byte_test:1,<,5,0,relative; reference:url,www.dnp.org/About/Default.aspx; classtype:protocol-command-decode; sid:15712; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6070 (msg:"DELETED SPECIFIC-THREATS CA BrightStor Agent for Microsoft SQL overflow attempt"; flow:to_server,established; isdataat:1000; content:"ABCDAAAA"; reference:bugtraq,14453; reference:cve,2005-1272; classtype:attempted-admin; sid:11683; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 6070 (msg:"DELETED SPECIFIC-THREATS CA BrightStor Agent for Microsoft SQL overflow attempt"; flow:to_server; isdataat:1000; content:"|41 41 41 41 41 41 41 41 09 B1 6A 4A 59 D9 EE D9 74 24 F4 58 81 70 13 CF|"; fast_pattern:only; reference:bugtraq,14453; reference:cve,2005-1272; classtype:attempted-admin; sid:18602; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED SPECIFIC-THREATS Microsoft Exchange MODPROPS denial of service PoC attempt"; flow:to_server,established; content:"Content-Type|3A| text/calendar"; nocase; pcre:"/BEGIN\x3AVEVENT\x0D\x0A.*X-MICROSOFT-CDO-MODPROPS\x3A[^\n]*X-MICROSOFT-CDO-MODPROPS.+X-MICROSOFT-CDO-MODPROPS\x3A.+END\x3AVEVENT/smi"; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-dos; sid:14742; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST USER-AGENT known Adware user agent Softonic"; flow:to_server,established; content:"User-Agent|3A| Softonic Downloader"; fast_pattern:only; http_header; reference:url,www.virustotal.com/file/37efdbc1eab50b290b4e7da0914e3030b3a654ac4030c08525252f485f468ef4/analysis/; classtype:trojan-activity; sid:21588; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"DELETED VOIP-SIP request line equal To zero"; content:"SIP/2.0"; nocase; content:"0"; distance:0; nocase; pcre:"/^SIP\/2\.0\s+0\s*$/smi"; reference:bugtraq,24359; reference:cve,2007-2297; reference:url,bugs.digium.com/view.php?id=9313; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12061; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BLACKLIST URI request for known malicious URI - /stat.htm"; flow:to_server,established; content:"/stat.htm?id="; nocase; http_uri; content:"&r="; within:3; distance:7; nocase; http_uri; content:"&repeatip="; distance:0; nocase; http_uri; content:"&rtime="; distance:0; nocase; http_uri; content:"&cnzz_eid="; distance:0; nocase; http_uri; reference:url,labs.snort.org/iplists/urllist-2011-04-07; classtype:trojan-activity; sid:18773; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC TDSS outbound connection"; flow:established,to_server; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)"; nocase; http_header; content:"HOST|3A| "; fast_pattern; http_header; reference:url,threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=111209-TDSS.xml; classtype:trojan-activity; sid:21443; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Blackhole Older jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Field.class"; reference:url,secniche.blogspot.com/2011/10/blackhole-bep-hp-scanner-infection.html; classtype:attempted-user; sid:22055; rev:3;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"DELETED rule"; flow:to_server,established; content:"fsgsrtw43tsrdfgsgrdg4t5"; fast_pattern:only; classtype:attempted-user; sid:23119; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED rule"; flow:to_server,established; content:"asdffdrefre78fwre8fddfg"; fast_pattern:only; classtype:attempted-user; sid:23120; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<]{1024}/Rms"; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23886; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_server,established; file_data; flowbits:isset,file.pdf; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; fast_pattern:only; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23873; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"<]{1024}/Rms"; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23885; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<]{1024}/Rms"; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23888; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Adobe Reader postscript font execution malformed subroutine entries attempt"; flow:to_client,established; file_data; flowbits:isset,file.pdf; content:"|1D CD 77 ED B6 D2 C2 E2 FD 7A C5 C0 EE FE AC A0 11 ED 3B 6A 90 84 3B CA A8 49 3E E9 9E 59 63 1E|"; fast_pattern:only; reference:cve,2012-4152; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:denial-of-service; sid:23872; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Adobe Reader getAnnotsRichMedia return type confusion attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<]{1024}/Rms"; reference:cve,2012-2050; reference:url,www.adobe.com/support/security/bulletins/apsb12-16.html; classtype:attempted-dos; sid:23887; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"DELETED SPECIFIC-THREATS HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"JTOOCNZ|3A|7510|2F|topology|2F|homeBaseView"; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:18584; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED SPECIFIC-THREATS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids translated_names overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; byte_test:4,>,255,36,dce; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:15507; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt"; flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; content:"(\x22|\x27|))(?P\S+)(?P=q1).*?document\x2EgetElementById\x28(?P(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; reference:bugtraq,17196; reference:cve,2006-1359; classtype:attempted-user; sid:17781; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED SPECIFIC-THREATS Microsoft Internet Explorer invalid pointer memory corruption attempt"; flow:to_client,established; file_data; content:"setAttribute"; content:"document.location"; distance:0; content:"about|3A 5C|u0c0c|5C|u0c0c|5C|u0c0c|5C|u0c0cblank|22|"; within:40; content:" $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash malformed error response"; flow:to_server,established; flowbits:isset,RTMP.sysMemCall; content:"|03|"; content:"|14|"; within:1; distance:6; content:"error"; within:5; distance:8; nocase; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:attempted-user; sid:22067; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1935 (msg:"DELETED FILE-FLASH Adobe Flash systemMemoryCall RTMP query"; flow:to_server,established; content:"|14|"; content:"systemMemoryCall|00|"; within:17; distance:3; nocase; flowbits:set,RTMP.sysMemCall; flowbits:noalert; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:protocol-command-decode; sid:22068; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_get_host.php?ver="; http_uri; content:"HTTP/1.0"; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22057; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Blackhole Redirection to generated folder - js.js"; flow:established,to_server; urilen:15; content:"/js.js"; fast_pattern:only; http_uri; pcre:"/\/[a-z0-9]{6,8}\/js\.js$/Ui"; classtype:bad-unknown; sid:24170; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-MULTIMEDIA Microsoft Office MSCOMCTL ActiveX control tabstrip method arbitrary code execution attempt"; flow:established,to_server; flowbits:isset,file.rtf; file_data; content:"MSComctlLib.TabStrip"; fast_pattern:only; content:"9665fb1e7c85d111b16a00c0f0283628"; nocase; content:"21433412"; distance:0; nocase; content:"01efcdab"; distance:0; nocase; byte_test:8,>=,0x28000000,80,relative,string,hex; reference:cve,2012-1856; reference:cve,2013-1313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-060; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-020; classtype:attempted-user; sid:23845; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt"; flow:to_client,established; file_data; content:"|FF D8 FF|"; content:"|FF DA|"; distance:0; content:"|03|"; within:1; distance:2; content:"|01 00 02 11 01|"; within:5; reference:bugtraq,14282; reference:cve,2005-1998; reference:cve,2005-2308; classtype:attempted-user; sid:17355; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Dialer yeaknet runtime detection - home page hijacker"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"snprtz|7C|dialno"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.otherchance.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*snprtz\x7Cdialno.*Host\x3A[^\r\n]*www\x2Eotherchance\x2Ecom/smiH"; reference:url,www.spywareguide.com/product_show.php?id=2446; classtype:misc-activity; sid:6490; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information"; flow:to_server,established; content:"/scripts/security/visit.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"User-Agent|3A| iebar"; nocase; http_header; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12673; rev:10;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED PROTOCOL-ICMP IPv6 router advertisement flood attempt"; itype:134; icode:0; detection_filter:track by_dst, count 1000, seconds 1; reference:url,thc.org/thc-ipv6/; classtype:attempted-dos; sid:24300; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST Trackware adtools runtime detection - track user activity"; flow:to_server,established; content:"/acts/tracking/track.asp"; nocase; content:"Data="; distance:0; nocase; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; content:"Host|3A| trackcl.adtoolsinc.com"; fast_pattern:only; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5898; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST Trackware adtools-screenmate runtime detection - generate desktop alert"; flow:to_server,established; content:"/roche.asp?"; nocase; http_uri; content:"zip="; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; content:"Host|3A| www.flustar.com"; fast_pattern:only; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5899; rev:14;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST Trackware ucmore runtime detection - track activity"; flow:to_server,established; content:"/iis2ucms.asp"; nocase; content:"RequestString="; distance:0; nocase; content:"UCMXML"; distance:0; nocase; content:"User-Agent|3A| EI"; nocase; http_header; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5837; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST hijacker topfive searchassistant detection - post user information to server"; flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5977; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST Trickler farmmext installtime/update request"; flow:to_server,established; content:"/a/Aid.sen?StubName=farmmext"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6202; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST Trickler conscorr runtime detection"; flow:to_server,established; content:"/a/Corr.sen?StubName=conscorr"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; reference:url,www.spywareguide.com/product_show.php?id=1034; classtype:misc-activity; sid:5834; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"zTXt"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|00|"; within:1; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21985; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"iTXt"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|01 00|"; within:2; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21986; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"iCCP"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|00|"; within:1; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21990; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_server; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"iCCP"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|00|"; within:1; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21987; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"iTXt"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|01 00|"; within:2; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21989; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IMAGE libpng png_inflate buffer overflow attempt"; flow:established,to_client; flowbits:isset,file.png; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"zTXt"; distance:0; fast_pattern; byte_test:4,>,0x100000,-8,relative; content:"|00|"; within:80; content:"|00|"; within:1; reference:bugtraq,52453; reference:cve,2011-3045; classtype:attempted-admin; sid:21988; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win32.Delf outbound connection"; flow:to_server,established; content:"/set?pid="; nocase; http_uri; content:"&rtb="; distance:0; nocase; http_uri; pcre:"/\x2Fset\x3Fpid=[A-Z\d]{8}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{4}-[A-Z\d]{12}\x26rtb=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=8e24ea1d7afcbbbebd7da550f92b77f4; classtype:trojan-activity; sid:24624; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP Oracle Secure Backup Administration Server authentication bypass attempt via POST"; flow:to_server,established; content:"login.php"; nocase; http_uri; content:"attempt"; nocase; http_client_body; content:"uname="; nocase; http_client_body; pcre:"/uname\x3D[^\x26\x2D\s]*?\x2D/iP"; reference:bugtraq,41596; reference:cve,2010-0904; classtype:attempted-admin; sid:17049; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt"; flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; pcre:"/^.*?(\x5c.){256}/s"; reference:bugtraq,23470; reference:cve,2007-1748; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-029; classtype:attempted-admin; sid:17047; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7779 (msg:"DELETED SERVER-WEBAPP Oracle iSQL Plus cross site scripting attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username[\x3d\x3f][^\n\x26]*\x3c[^\n\x26]+\x3e/Ui"; reference:bugtraq,9484; reference:cve,2004-2115; classtype:web-application-attack; sid:12059; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"DELETED SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 attempt"; flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:25; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:"|02 00 00 00 00 00 00 00 02 00 00 00 90 00 00 00|"; within:16; reference:bugtraq,9011; reference:cve,2003-0812; reference:nessus,11921; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-049; classtype:protocol-command-decode; sid:18316; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7779 (msg:"DELETED SERVER-WEBAPP Oracle iSQL Plus cross site scripting attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action[\x3d\x3f][^\n\x26]*\x3c[^\n\x26]+\x3e/Ui"; reference:bugtraq,9484; reference:cve,2004-2115; classtype:web-application-attack; sid:12060; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange User-Agent - contype"; flow:to_server,established; content:"User-Agent|3A 20|contype|0D 0A|"; http_header; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24838; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 11234 (msg:"DELETED SCADA Measuresoft ScadaPro remote command injection attempt"; flow:to_server,established; content:"xf%"; depth:3; nocase; pcre:"/^xf%(\.\.[\x2f\x5c]){3}/i"; reference:cve,2011-3497; reference:url,aluigi.altervista.org/adv/scadapro_1-adv.txt; classtype:attempted-admin; sid:21482; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-CNC Win.Trojan.Dorkbot inbound positive response"; flow:to_client,established; file_data; content:"download"; depth:8; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24887; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED FILE-FLASH Adobe Flash Player invalid JPEG index"; flow:to_server,established; flowbits:isset,file.swf; flowbits:isset,file.jpegswf; file_data; content:"|FF DA 00 08 01|"; byte_test:1,>,3,1,relative; reference:cve,2012-5267; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24881; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player invalid JPEG index"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|FF E0 10 00|JFIF|00|"; content:"|FF DA 00 08 01|"; distance:0; byte_test:1,>,3,1,relative; reference:cve,2012-5267; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24880; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player JPEG in flash file"; flow:to_client,established; flowbits:isset,file.swf; flowbits:set,file.jpegswf; file_data; content:"|FF E0 00 10|JFIF|00|"; flowbits:noalert; reference:cve,2012-5267; reference:url,www.adobe.com/support/security/bulletins/apsb12-24.html; classtype:attempted-user; sid:24878; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Fareit.A outbound connection"; flow:to_server,established; content:"/bn93h4k.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"CRYPTED0"; reference:url,www.virustotal.com/file-scan/report.html?id=659ea4753a64cce6ac15e78802a21c5ba75596ff5a9d112295ba3484b1033064-1305081015; classtype:trojan-activity; sid:19355; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Trojan.Scar variant outbound connection"; flow:to_server,established; content:"/ddos?uid="; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23108; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC ZeroAccess Clickserver Callback"; flow:to_server,established; urilen:95; content:"|20|HTTP/1.0|0D 0A|Host|3A|"; fast_pattern; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; classtype:trojan-activity; sid:25110; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{6,8}\x2findex\.html\x22/msi"; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24171; rev:8;) # alert tcp $EXTERNAL_NET 1935 -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash malformed RTMP response attempt"; flow:to_client,established; content:"|02 00 06 5F 65 72 72 6F 72 00 40 00 00 00 00 00 00 00|"; fast_pattern:only; content:"|0C 0C 0C 0C|"; depth:4; offset:85; reference:cve,2012-0779; reference:url,www.adobe.com/support/security/bulletins/apsb12-09.html; classtype:protocol-command-decode; sid:24141; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Blackholev2 - URI Structure"; flow:established,to_server; urilen:50<>250; content:".php?"; http_uri; content:"Referer|3A|"; nocase; http_header; content:".php|0D 0A|"; within:200; nocase; http_header; content:!"facebook.com"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]+\.php\r\n/Hsmi"; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/U"; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24227; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition|3A|"; http_client_body; content:".jpg"; distance:0; http_client_body; pcre:"/Content-Disposition\x3a[^\r\n]*?filename\s*=\s*[\x22\x27][^\x22\x27]*?\.(jpe?g|tiff?)[\x22\x27]/iP"; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; http_client_body; reference:cve,2012-0247; reference:url,osvdb.org/show/osvdb/79003; classtype:attempted-user; sid:25350; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_client,established; flowbits:isset,file.jpg|file.jpeg|file.tif|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; reference:cve,2012-0247; reference:url,osvdb.org/show/osvdb/79003; classtype:attempted-user; sid:25349; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"DELETED FILE-IMAGE ImageMagick EXIF resolutionunit handling memory corruption attempt"; flow:to_server,established; flowbits:isset,file.jpg|file.jpeg|file.tif|file.tiff; file_data; content:"|DE 00 00 00|(|01 03 00 CE FF FF 7F|(|01 00 00|"; fast_pattern:only; reference:cve,2012-0247; reference:url,osvdb.org/show/osvdb/79003; classtype:attempted-user; sid:25351; rev:2;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DELETED SERVER-OTHER Microsoft Forefront Threat Management Gateway remote code execution attempt"; flow:to_client; content:"|80|"; depth:1; offset:3; content:"|C0 0C 00 05 00 01|"; isdataat:140; byte_test:2,<,2,0,relative; byte_test:2,<,2,2,relative; reference:cve,2011-1889; classtype:attempted-admin; sid:25313; rev:3;) # alert ip $HOME_NET any -> 77.241.93.160 any (msg:"DELETED BLACKLIST known malicious IP address 77.241.93.160 - contact to Duqu command and control server"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:20524; rev:2;) # alert ip $HOME_NET any -> 206.183.111.97 any (msg:"DELETED BLACKLIST known malicious IP address 206.183.111.97 - contact to Duqu command and control server"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:20523; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool Exploit Kit SWF file download"; flow:to_server,established; content:"/articles/"; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/articles\/([A-Z]+\/)?[A-Z]+\x2eswf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25575; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool Exploit Kit SWF file download"; flow:to_server,established; content:"/read/"; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/read\/([A-Z]+\/)?[A-Z]+\x2eswf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25573; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool Exploit Kit SWF file download"; flow:to_server,established; content:"/contacts/"; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/contacts\/([A-Z]+\/)?[A-Z]+\x2eswf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25576; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool Exploit Kit SWF file download"; flow:to_server,established; content:"/news/"; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/news\/([A-Z]+\/)?[A-Z]+\x2eswf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25574; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Downloader outbound connection"; flow:to_server,established; content:".exe"; nocase; http_uri; content:"User-Agent: Agent"; fast_pattern:only; nocase; http_header; pcre:"/Agent\d{8}/Hi"; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24310; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Downloader outbound connection"; flow:to_server,established; content:".gif"; nocase; http_uri; content:"User-Agent: Agent"; fast_pattern:only; nocase; http_header; pcre:"/Agent\d{8}/Hi"; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24309; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED SERVER-OTHER MiniUPnPd ExecuteSoapAction null pointer dereference attempt"; flow:established,to_server; content:"SOAPAction|3A|"; fast_pattern:only; http_header; pcre:"/SOAPAction\x3A\s*?\x22[^\r\n\x22\x23]+?\x22/Hsmi"; reference:cve,2013-1461; classtype:attempted-admin; sid:25781; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED OS-OTHER Apple iOS 6.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.bzip; file_data; content:"Protective Master Boot Record (MBR"; fast_pattern:only; content:"Attributes"; nocase; content:"0x0050"; distance:0; nocase; content:"bWlzaAAAAAE"; distance:0; nocase; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25613; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Multiple Exploit Kit Payload detection - setup.exe"; flow:to_client,established; content:"filename="; http_header; content:"setup.exe"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25526; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST User-Agent known malicious user agent - IEEXPLORE.EXE"; flow:to_server,established; content:"User-Agent|3A| IEXPLORE.EXE"; fast_pattern:only; http_header; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7534; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT CritX Exploit Kit possible plugin detection attempt"; flow:to_server,established; content:"/js/pd.js"; fast_pattern:only; http_uri; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25820; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Blackhole Exploit Kit javascript service method"; flow:to_server,established; urilen:12<>16; content:"/js.js"; fast_pattern:only; http_uri; content:"Referer"; http_header; pcre:"/^\/[a-z\d]{6,8}\/js\.js$/Ui"; pcre:!"/^\/[a-z\d]{6,8}\/js\.js$/U"; pcre:"/^Referer\x3A[^\r\n]*?\x2f[A-Z\d]{6,8}\x2f/Hsmi"; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.imperva.com/2011/12/deconstructing-the-black-hole-exploit-kit.html; classtype:trojan-activity; sid:22088; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Dong Da exploit kit landing page received"; flow:to_client,established; file_data; content:"MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no"; classtype:trojan-activity; sid:26012; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-FIREFOX Mozilla Multiple Products HTML href shell attempt"; flow:to_client,established; file_data; content:"shell:"; fast_pattern:only; content:""; within:200; content:"shell:"; within:200; nocase; reference:cve,2004-0648; classtype:policy-violation; sid:21954; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Dong Da exploit kit successful redirection"; flow:to_server,established; content:".htm?id="; http_uri; content:"&location="; distance:0; http_uri; content:"&resolution="; distance:0; http_uri; content:"&ua="; distance:0; http_uri; classtype:trojan-activity; sid:26014; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange initial landing page"; flow:to_server,established; urilen:<25; content:"/"; http_uri; content:"?"; within:1; distance:6; http_uri; content:"="; within:1; distance:5; http_uri; pcre:"/\x2f[a-z]{1,5}[A-Z]{1,5}.*?\x3f[a-zA-Z]{5}=[0-9]{1,3}$/U"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24837; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-CNC TDS Sutra - cookie set"; flow:to_client,established; content:!"302"; http_stat_code; content:"Set-Cookie: SL_"; content:"_0000="; within:8; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21847; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC URI request for known malicious URI - Suspected Crimepack"; flow:to_server,established; content:"php?affid="; fast_pattern:only; http_uri; pcre:"/php\?affid=\d{5}$/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=f3aac810a100bc09f02c5e13df23264406569e3faeb10bd697de5282e7049233-1301139078; classtype:trojan-activity; sid:18944; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer ani file processing - remote code execution attempt"; flow:to_client,established; file_data; content:"RIFF"; depth:4; fast_pattern; content:"ACON"; within:4; distance:4; content:"anih"; content:!"|18 00 00 00|"; within:4; reference:cve,2007-0038; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-017; classtype:attempted-user; sid:19886; rev:5;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"DELETED OS-WINDOWS Microsoft Windows wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"w|00|a|00|b|00|3|00|2|00|r|00|e|00|s|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; reference:url,www.secunia.com/advisories/41050; classtype:attempted-user; sid:21633; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED OS-WINDOWS Microsoft Windows wab32res.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|wab32res.dll"; nocase; http_uri; reference:url,www.secunia.com/advisories/41050; classtype:attempted-user; sid:21634; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP HP OpenView Manager DOS"; flow:to_server,established; content:"/OvCgi/OpenView5.exe?"; fast_pattern:only; http_uri; content:"Context=Snmp"; nocase; http_uri; content:"Action=Snmp"; nocase; http_uri; content:"Host="; nocase; http_uri; content:"Oid="; nocase; http_uri; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:19;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"eCb.class"; fast_pattern:only; classtype:trojan-activity; sid:26235; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"doVup.class"; fast_pattern:only; classtype:trojan-activity; sid:26234; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit initial redirection"; flow:to_server,established; content:".php?"; http_uri; content:"&"; distance:0; http_uri; content:"&"; distance:0; http_uri; content:"&"; distance:0; http_uri; content:"&"; distance:0; http_uri; pcre:"/\.php\?[a-z]+\=\d{2,3}\&[a-z]+\=\d{2,3}\&[a-z]+\=\d{2,3}\&[a-z]+\=\d{2,3}\&[a-z]+\=\d{2,3}/U"; classtype:trojan-activity; sid:26237; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"pKWpI.class"; fast_pattern:only; classtype:trojan-activity; sid:26236; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP Symantec Web Gateway blocked.php id parameter sql injection attempt"; flow:to_server,established; content:"/spywall/blocked.php"; fast_pattern:only; http_uri; pcre:"/[?&]id=[^&]*?[\x28\x29]/Ui"; reference:bugtraq,54424; reference:cve,2012-2574; reference:url,attack.mitre.org/techniques/T1190; classtype:web-application-attack; sid:23784; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [443,465,993,995] (msg:"DELETED OS-WINDOWS PCT Client_Hello overflow attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; byte_test:2,<,33,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; classtype:attempted-admin; sid:2515; rev:27;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Blackhole - Cookie Set"; flow:to_client,established; content:"client=done|3B|"; fast_pattern:only; content:"client=done|3B|"; http_cookie; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24475; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED MALWARE-CNC Win.Trojan.Fusing.AA outbound connection"; flow:to_server,established; content:"wings"; depth:5; content:"|00 00|"; within:2; distance:2; reference:url,www.virustotal.com/file-scan/report.html?id=3f2a74beb0cf012f8dfa732d3520a64e57579356bcc40245290a6abe23e6a30c-1310757263; classtype:trojan-activity; sid:19866; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC W32.Dofoil variant outbound connectivity check"; flow:to_server,established; content:"GET / HTTP/1.0"; depth:14; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21312; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED MISC bubbye too"; flow:to_client,established; file_data; content:"asdfaslfjlasdfjasdflasdf9asfh9asfha9sfasf9fa9"; classtype:misc-activity; sid:26376; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED MISC bubbye"; flow:to_client,established; file_data; content:"asdfaslfjlasdfjasdflasdf9asfh9asfha9sfasf9fa9"; classtype:misc-activity; sid:26375; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; pcre:"/\/\w{3}\.jar$/U"; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26347; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"DELETED SERVER-OTHER CA ARCserve Backup for Laptops rxsSetDefaultConfigName overflow attempt"; flow:to_server,established; content:"rxsSetDefaultConfigName~~"; isdataat:976,relative; reference:bugtraq,24348; reference:cve,2007-3216; classtype:attempted-admin; sid:12787; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED OS-OTHER Apple iOS 6.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.bzip; file_data; content:"Protective Master Boot Record (MBR"; fast_pattern:only; content:"Attributes"; nocase; content:"0x0050"; distance:0; nocase; content:"bWlzaAAAAAE"; distance:0; nocase; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25614; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"DELETED MALWARE-CNC Win.Downloader.Kuloz variant outbound connection"; flow:to_server,established; content:"GET /"; depth:6; content:"User-Agent|3A 20|"; content:!"Referer"; content:!"Accept"; pcre:"/GET\x20\x2F[a-fA-F\d]{48,256}/"; pcre:"/Host\x3A\x20[\d\x2E]{7,15}\x3A\d{1,5}/"; reference:url,www.virustotal.com/file/9FE76262EFCACC63A9967BC3ED14AC29376A654BBB60DC9894E6EA5787338D01/analysis/; classtype:trojan-activity; sid:25368; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer invalid object modification exploit attempt"; flow:to_client,established; file_data; content:"callback"; pcre:"/on((before|)(de|)activate|focus(in|out))\s*\x3d\s*function[^\x7d]*callback/si"; reference:cve,2009-1530; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-019; classtype:attempted-user; sid:15536; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-PLUGINS Oracle EasyMail Objects ActiveX exploit attempt"; flow:to_client,established; file_data; content:"classid='clsid|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9'"; fast_pattern:only; content:"unescape|28 22|%"; reference:bugtraq,25467; reference:cve,2007-4607; classtype:attempted-user; sid:16591; rev:11;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED MALWARE-OTHER Possible Kuluoz spamvertised URL in email"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:".htm|22|"; within:50; pcre:"/\x2f[A-Z]{10}\.htm\x22/ms"; metadata:ruleset community; reference:url,blog.webroot.com/2012/08/31/cybercriminals-impersonate-ups-serve-malware; classtype:trojan-activity; sid:24102; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Unknown Exploit Kit getfile.php"; flow:to_server,established; content:"getfile.php?i="; http_uri; content:"&key="; distance:0; http_uri; classtype:trojan-activity; sid:23248; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer marquee tag onstart memory corruption"; flow:to_client,established; file_data; content:"]*onstart\s*=/smi"; reference:cve,2009-0554; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-014; classtype:attempted-user; sid:15461; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BLACKLIST User-Agent known malicious user agent - MyApp"; flow:to_server,established; content:"User-Agent: MyApp|0D 0A|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/file/F6B7DF4009F41D103F5B856F1C6F1E6C05667D21F4F7528EF554C7E2ADB4F39C/analysis/; classtype:trojan-activity; sid:24577; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-IMAGE Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow attempt"; flow:to_client,established; flowbits:isset,file.pct; file_data; content:"PICT"; depth:4; isdataat:594,relative; content:"|00 07|"; within:2; distance:594; byte_test:2,>,0x7fff,2,relative; reference:bugtraq,49144; reference:cve,2011-0257; classtype:attempted-user; sid:19908; rev:8;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt"; flow:to_client,established; flowbits:isset,file.pls; file_data; content:"[playlist]"; depth:10; nocase; isdataat:1000; content:"File"; distance:0; pcre:"/^\d+\x3Dhttps?\x3a\x2f\x2f[^\n\r]{1000}/Ri"; reference:cve,2005-0043; classtype:attempted-user; sid:18483; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED FILE-MULTIMEDIA Apple iTunes playlist URL overflow attempt"; flow:to_client,established; file_data; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; reference:bugtraq,12238; reference:cve,2005-0043; classtype:attempted-user; sid:3471; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Potential Bancos Trojan - HTTP Header Structure Anomaly v2.0"; flow:to_server,established; urilen:<20; content:" HTTP/1."; content:"|0D 0A|Content-Type: text/html|0D 0A|Host: "; within:33; distance:1; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; content:!"Referer:"; http_header; pcre:"/\.(php|html?|gif|zip|exe)/U"; classtype:trojan-activity; sid:26762; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-IIS web agent redirect overflow attempt"; flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; nocase; http_uri; pcre:"/\x2fWebID\x2fIISWebAgentIF\.dll[^\n\x26\x3f]*\x3fRedirect\x3furl=[^\n\x26\x3f]{1024}/smi"; reference:bugtraq,13524; reference:cve,2005-1471; classtype:web-application-attack; sid:5695; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP WhatsUpGold configuration access"; flow:to_server,established; content:"/_maincfgret.cgi"; nocase; http_uri; reference:bugtraq,11043; reference:bugtraq,11109; reference:cve,2004-0798; classtype:web-application-activity; sid:11817; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED PROTOCOL-IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,11775; reference:bugtraq,15006; reference:cve,2004-1211; reference:cve,2005-3155; reference:nessus,15867; classtype:misc-attack; sid:3068; rev:11;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY HyperText Markup Language file download request"; flow:to_server,established; content:".htm"; fast_pattern:only; http_uri; pcre:"/\x2ehtml?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.htm; flowbits:noalert; classtype:misc-activity; sid:18275; rev:12;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Hypertext Markup Language file attachment detected"; flow:to_server,established; content:".htm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ehtml?[\x22\x27\s]/si"; flowbits:set,file.htm; flowbits:noalert; classtype:misc-activity; sid:21690; rev:6;) # alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"DELETED FILE-IDENTIFY Hypertext Markup Language file attachment detected"; flow:to_client,established; content:".htm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ehtml?[\x22\x27\s]/si"; flowbits:set,file.htm; flowbits:noalert; classtype:misc-activity; sid:21689; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED MALWARE-BACKDOOR troya 1.4 runtime detection - init connection"; flow:to_server,established; content:"/index"; nocase; flowbits:set,Troya_1_4_detection; flowbits:noalert; classtype:trojan-activity; sid:13245; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Backdoor.Win32.Wolyx.A runtime detection"; flow:to_server,established; dsize:12; content:"|0D 0A 0D 0A|"; offset:8; content:!"/"; http_uri; pcre:"/^[0-9a-f]{8}\r\n\r\n$/i"; reference:url,www.virustotal.com/file/bf8c756d34efc346e4bc100310f2ead2731c9745d49dec242c9f237e53bceb41/analysis; classtype:trojan-activity; sid:26821; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Syndicasec Stage Two traffic"; flow:to_server,established; content:"POST"; http_method; content:"cstype=server|26|authname="; http_client_body; metadata:ruleset community; reference:url,www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin; classtype:trojan-activity; sid:26810; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"DELETED MALWARE-CNC known malicious SSL certificate - Sykipot C&C"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 EC 32 09 67 C9 34 3F 50|"; within:50; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:21046; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Blackholev2 exploit kit JNLP request"; flow:to_server,established; content:".php?jnlp="; fast_pattern:only; nocase; http_uri; content:" Java/1."; http_header; pcre:"/\.php\?jnlp=[a-f0-9]{10}($|\x2c)/Ui"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27070; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OTHER Multiple products ZIP archive virus detection bypass attempt"; flow:to_client,established; file_data; content:"|50 4B 01 02|"; content:"|00 00 00 00|"; within:4; distance:20; content:!"|00 00 00 00|"; within:4; distance:-8; reference:bugtraq,11448; reference:cve,2004-0932; classtype:bad-unknown; sid:27048; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $SMTP_SERVERS 25 (msg:"DELETED MALWARE-CNC WIN.Trojan.Zbot payment .scr download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"MONETARY"; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27011; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC WIN.Trojan.Zbot outbound connection"; flow:to_server,established; content:"/webhp"; fast_pattern:only; http_uri; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27009; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(gdsgd){"; fast_pattern:only; classtype:trojan-activity; sid:26255; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Sakura exploit kit jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"X-COMMENT: Main-Class will be added automatically by build"; fast_pattern:only; classtype:trojan-activity; sid:27004; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:to_server,established; content:"/cm2.jar"; fast_pattern:only; http_uri; content:" Java/"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:27088; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:to_server,established; content:"/app.jar"; fast_pattern:only; http_uri; content:" Java/"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:27087; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-IDENTIFY Microsoft Windows help file magic"; flow:to_server,established; file_data; content:"|3F 5F 03 00|"; depth:4; flowbits:set,file.hlp; flowbits:noalert; classtype:misc-activity; sid:27165; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.doc&file.ole; file_data; content:"|08 D6|"; byte_extract:1,2,NumOfColumns,relative; byte_jump:2,-3,relative,little; content:"|20 D6|"; within:2; distance:-1; byte_test:1,>,NumOfColumns,2,relative; reference:bugtraq,38218; reference:cve,2009-3302; reference:cve,2010-2563; reference:url,osvdb.org/show/osvdb/67983; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-067; classtype:attempted-user; sid:26675; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED POLICY-SOCIAL AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; metadata:ruleset community; classtype:policy-violation; sid:1633; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Redkit initial redirection embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http|3A 2F 2F|"; fast_pattern:only; classtype:trojan-activity; sid:27235; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Seinup variant outbound connection"; flow:to_server,established; content:"php|3F|"; fast_pattern:only; http_uri; pcre:"/\x2ephp\x3f[a-z0-9]{11,13}=.*?\x26[a-z0-9]{3,5}=.*?\x26[a-z0-9]{7,9}=.*?\x26[a-z0-9]{14,16}=/U"; metadata:ruleset community; reference:url,www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:trojan-activity; sid:27145; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-OTHER function urchin - known malware function name"; flow:to_client,established; file_data; content:"function urchin|28 29|"; fast_pattern:only; metadata:ruleset community; reference:url,labs.snort.org/docs/23795.txt; classtype:trojan-activity; sid:23795; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Crysis variant outbound connection"; flow:to_server,established; content:"|0D 0A|Content-Length|3A 20|88|0D 0A|"; fast_pattern:only; http_header; content:"+"; depth:1; offset:71; http_client_body; content:"+"; within:1; distance:3; http_client_body; metadata:ruleset community; classtype:trojan-activity; sid:26481; rev:4;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site"; flow:to_client,established; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:ruleset community; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26618; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player embedded JPG image width overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 5, relative; reference:bugtraq,26951; reference:cve,2007-6242; classtype:attempted-admin; sid:13301; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP view_broadcast.cgi access"; flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern:only; http_uri; metadata:ruleset community; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:16;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED SERVER-WEBAPP store.cgi product directory traversal attempt"; flow:to_server,established; content:"/store.cgi"; nocase; http_uri; content:"product="; content:"../.."; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:17;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Styx Exploit Kit outbound connection"; flow:to_server,established; urilen:75<>83; content:!"Cookie"; http_header; content:!"yahoo"; nocase; http_header; content:!"Authorization"; http_header; content:!"Application"; http_header; content:!"bing.com"; nocase; http_header; content:!"iphone"; nocase; http_header; pcre:"/^\/[a-zA-Z0-9]{76,81}$/U"; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25135; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT g01pack browser check attempt"; flow:to_client,established; file_data; content:"|21 28 2F 28|Firefox|7C|Chrome|7C|Linux|7C|Mac OS|29 2F|.test|28|navigator.userAgent|29 29|"; fast_pattern:only; reference:url,www.malwaresigs.com/2013/01/30/speedtest-net-g01pack-exploit-kit/; classtype:trojan-activity; sid:25982; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool/Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|"; within:25; content:".value.length|3B|"; within:100; content:".value.substr("; distance:0; pcre:"/for\x28(?P\w+)\x3d0\x3b.*?\.value\.substr\x28(?P=var)\x2c2\x29/"; reference:url,malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html; classtype:trojan-activity; sid:27092; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Word document summary information null string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|02 D5 CD D5 9C|.|1B 10 93 97 08 00|+,|F9 AE|"; content:"|1E 00 00 00 00 00 00 00|"; distance:0; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7200; rev:11;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Word summary information null string overflow attempt"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; content:"|1E 00 00 00 00 00 00 00|"; distance:0; reference:cve,2006-1540; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-038; classtype:attempted-user; sid:7201; rev:11;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED OS-WINDOWS something something dark side"; content:"i have to go... place"; classtype:attempted-dos; sid:27849; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED OS-WINDOWS uyghggdsf"; flow:to_server,established; content:"dfasdfardfgstrgsfdgdfSERREFASDF"; classtype:attempted-user; sid:27848; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED OS-WINDOWS sd"; flow:to_client,established; content:"asfdasdfeaseafsdrgsgff"; classtype:attempted-user; sid:27847; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit landing page attempt"; flow:to_server,established; urilen:9<>16; content:"/?"; depth:13; http_uri; pcre:"/^\x2f[a-z0-9]{6,10}\x2f\?[0-9]{1,2}$/Ui"; classtype:trojan-activity; sid:27809; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Gong Da exploit kit plugin detection"; flow:to_client,established; file_data; content:"else if (deployJava.testUsingActiveX(|27|1.6.0|27|))"; fast_pattern:only; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27703; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit outbound URI request"; flow:to_server,established; content:".php?adclick="; fast_pattern:only; http_uri; pcre:"/php\?adclick\=\d{2,3}$/Ui"; reference:url,malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/; classtype:trojan-activity; sid:27557; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit outbound URI request"; flow:to_server,established; content:"php?subject="; fast_pattern:only; http_uri; pcre:"/php\?subject\=\d{2,3}$/Ui"; reference:url,malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/; classtype:trojan-activity; sid:27556; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit outbound URI request"; flow:to_server,established; content:"php?read="; fast_pattern:only; http_uri; pcre:"/php\?read\=\d{2,3}$/Ui"; reference:url,malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/; classtype:trojan-activity; sid:27555; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit outbound URI request"; flow:to_server,established; content:"php?plugins="; fast_pattern:only; http_uri; pcre:"/php\?plugins\=\d{2,3}/Ui"; reference:url,malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/; classtype:trojan-activity; sid:27554; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit outbound URI request"; flow:to_server,established; content:"php?display="; fast_pattern:only; http_uri; pcre:"/php\?display\=\d{2,3}$/Ui"; reference:url,malwaresigs.com/2013/07/30/malvertising-on-youtube-com-redirects-to-sweet-orange-ek/; classtype:trojan-activity; sid:27553; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Kore exploit kit redirection outbound attempt"; flow:to_server,established; urilen:<25; content:"/blog/?p="; fast_pattern:only; http_uri; pcre:"/^\/blog\/\?p=\d{4}$/U"; classtype:trojan-activity; sid:28014; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Kore exploit kit redirection outbound attempt"; flow:to_server,established; urilen:<25; content:"index.php?p="; fast_pattern:only; http_uri; pcre:"/^\/index\.php\?p=\d{4}$/U"; classtype:trojan-activity; sid:28013; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Nuclear exploit kit font file exploit download attempt"; flow:to_server,established; urilen:>35; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\.eot$/Ui"; classtype:trojan-activity; sid:28110; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Teletubbies exploit kit outbound connection post compromise"; flow:to_server,established; content:"/cl.php"; fast_pattern:only; http_uri; content:"cl.php HTTP/"; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27884; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Oracle Java Unknown exploit kit java dropped file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"XHbNaqRg.class"; fast_pattern:only; classtype:trojan-activity; sid:25651; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Redkit exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http|3A 2F 2F|"; fast_pattern:only; classtype:trojan-activity; sid:27874; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Unknown exploit kit landing page"; flow:to_client,established; file_data; content:" "; distance:0; nocase; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28458; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player use after free race condition"; flow:to_client,established; flowbits:isset,file.swf; content:"|6F AB DE 4D E9 B5 73 2F 00 25 84 02 B2 A9 B5 4A 7F 11 B0 40 00 10 0D 0B 20 1E 18 CF 62 C7 66 EB|"; fast_pattern:only; reference:cve,2013-3361; reference:url,www.adobe.com/support/security/bulletins/apsb13-21.html; classtype:attempted-user; sid:28566; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Big.class"; content:"Big010.class"; distance:0; content:"Big011.class"; distance:0; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26512; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"cpnakc.class"; distance:0; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25862; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"arttqa.class"; distance:0; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.virustotal.com/en/file/762bb7087cbde34e8c4be5daf34732c280be7d30e4070fb159c09eb9dbccf5f0/analysis/; classtype:trojan-activity; sid:25861; rev:5;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Multiple exploit kit malicious jar file dropped"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"mac.classPK"; nocase; content:"test.classPK"; distance:0; nocase; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25382; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt"; flow:to_client,established; file_data; content:"left|3A| -100px|3B| top|3A| -100px|3B| z-index|3A|"; fast_pattern:only; reference:cve,2013-0431; classtype:trojan-activity; sid:28412; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Bancos outbound connection attempt"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: "; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28801; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel CatSerRange record exploit attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"|20 10 08 00|"; byte_test:2, >, 0, 0, relative, little; byte_test:2, <, 32000, 0, relative, little; byte_test:2, >, 0x7FFF, 2, relative, little; reference:cve,2011-0978; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-021; classtype:attempted-admin; sid:18639; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; content:"JHelper.datPK"; fast_pattern:only; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26098; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit Java archive transfer"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JHelper.classPK"; fast_pattern:only; content:"Foo.classPK"; content:"JPlayer.classPK"; reference:cve,2012-1723; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26097; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/h"; depth:2; http_uri; content:"?g"; distance:0; http_uri; pcre:"/^\/h[a-z]+?\?g[a-z]+?=\d{6,7}$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:27785; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt"; flow:to_server,established; content:"/e"; depth:2; http_uri; content:"?y"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/e[a-z]+?\?y[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:27784; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/g"; depth:2; http_uri; content:"?t"; distance:0; http_uri; pcre:"/^\/g[a-z]+?\?t[a-z]+?=\d{6,7}$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28032; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit Oracle Java exploit download attempt"; flow:to_server,established; content:"/r"; depth:2; http_uri; content:"?j"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28031; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/j"; depth:2; http_uri; content:"?f"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28214; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/k"; depth:2; http_uri; content:"?e"; distance:0; http_uri; pcre:"/^\/k[a-z]+?\?e[a-z]+?=\d{6,7}$/mU"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28298; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/v"; depth:2; http_uri; content:"?n"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28275; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/p"; depth:2; http_uri; content:"?h"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/p[a-z]+?\?h[a-z]+?=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28274; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/b"; depth:2; http_uri; content:"?n"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28273; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/o"; depth:2; http_uri; content:"?h"; distance:0; http_uri; pcre:"/^\/o[a-z]+?\?h[a-z]+?=\d{6,7}$/U"; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28304; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/d"; depth:2; http_uri; content:"?h"; distance:0; http_uri; pcre:"/^\/d[a-z]+?\?h[a-z]+?=\d{6,7}$/U"; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28460; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/y"; depth:2; http_uri; content:"?f"; distance:0; http_uri; pcre:"/^\/y[a-z]+?\?f[a-z]+?=\d{6,7}$/U"; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28459; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/a"; depth:2; http_uri; content:"?f"; distance:0; http_uri; pcre:"/^\/a[a-z]+?\?f[a-z]+?=\d{6,7}$/U"; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28457; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/t"; depth:2; http_uri; content:"?z"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/t[a-z]+?\?z[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28456; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Neutrino exploit kit outbound request format"; flow:to_server,established; content:"/n"; depth:2; http_uri; content:"?z"; distance:0; http_uri; content:" Java/1."; http_header; pcre:"/^\/n[a-z]+?\?z[a-z]+?=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28455; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx remote code execution attempt"; flow:to_client,established; file_data; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; content:"|3C|PARAM"; nocase; content:"Item1"; within:15; distance:6; content:"|3B|javascript|3A|"; within:45; distance:15; pcre:"/\w+).*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*adb880a6-d8ff-11cf-9377-00aa003b7a11.*?\w+)|fromCharCode|ActivateActiveXControls).*?((?P=object)|(?P=object2))\.(Click|HHClick)/smi"; reference:bugtraq,11770; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; classtype:attempted-user; sid:28385; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit Java exploit download"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"SunJCE.class"; distance:0; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25858; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Blackholev2 exploit kit jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"JTWAjo.class"; fast_pattern:only; classtype:trojan-activity; sid:27714; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Oracle Java jar file downloaded by Java when zip was defined"; flow:to_client,established; flowbits:isset,zip_in_uri_java; file_data; content:"PK"; content:".class"; distance:0; classtype:trojan-activity; sid:27740; rev:4;) # alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"DELETED PROTOCOL-VOIP From header format string attempt"; flow:to_server; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A\s*[^\r\n%]*%/Hsmi"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20322; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 18 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,16777216,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28520; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 20 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,0x7FFFFFFF,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28519; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_server,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 10 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,65536,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28518; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 20 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,0x7FFFFFFF,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28514; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 18 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,16777216,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28513; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt"; flow:to_client,established; flowbits:isset,file.doc|file.wri; file_data; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; content:"|01 00 10 00|"; within:4; distance:16; fast_pattern; byte_test:4,>,65536,18,relative,little; reference:cve,2013-3940; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-089; classtype:attempted-user; sid:28512; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Multiple exploit kit flash exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"FWS"; depth:3; classtype:trojan-activity; sid:28965; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Multiple exploit kit flash exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; byte_test:1,>=,0x06,0,relative; classtype:trojan-activity; sid:28964; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Bunitu.G proxy connection to Yahoo"; flow:to_server,established; content:"/hjs?"; http_uri; content:"&__r="; distance:0; http_uri; content:"&post="; distance:0; http_uri; content:"Proxy-Connection|3A 20|"; fast_pattern:only; http_header; pcre:"/^Referer\x3a[^\r\n]*yahoo\x2ecom/smiH"; metadata:ruleset community; classtype:trojan-activity; sid:28954; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED OS-WINDOWS Microsoft Windows WebDAV search overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; http_method; isdataat:1000; content:!"|0A|"; depth:1000; reference:cve,2003-0109; reference:cve,2003-0226; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:11686; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT SPL2 exploit kit plugin outbound connection attempt"; flow:to_server,established; content:"html?id"; fast_pattern:only; http_uri; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:29004; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"DELETED MALWARE-CNC Trojan.TDSS.1.Gen keepalive detection"; flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; flowbits:set,srat.keepalive; flowbits:noalert; reference:url,www.virustotal.com/file-scan/report.html?id=aab0dc79e71ede6443503038c08c539843d37cdb37c0a0f624658860f4432fae-1226491210; classtype:trojan-activity; sid:16270; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-OTHER Win.Trojan.InstallMonster variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/3.0 |28|compatible|3B| Indy Library|29|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/en/file/527562368cd5ba3dd8dc41c51f0998ab225a8dd2273359c4ee7c939d7570d42f/analysis/; classtype:trojan-activity; sid:29123; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_client,established; flowbits:isset,file.pdf&file.ttf; file_data; content:"|00 01 00 00|"; byte_test:2,>,0xfff8,6,relative; content:"|00 01 00 00|"; within:4; distance:10; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,osvdb.org/show/osvdb/66859; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:17288; rev:9;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Adobe Acrobat font parsing integer overflow attempt"; flow:to_server,established; flowbits:isset,file.pdf&file.ttf; file_data; content:"|00 01 00 00|"; byte_test:2,>,0xfff8,6,relative; content:"|00 01 00 00|"; within:4; distance:10; reference:bugtraq,42203; reference:cve,2010-2862; reference:url,osvdb.org/show/osvdb/66859; reference:url,www.adobe.com/support/security/bulletins/apsb10-17.html; classtype:attempted-user; sid:23507; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED INDICATOR-OBFUSCATION iFrame injection offscreen"; flow:to_client,established; file_data; content:"-1000px"; content:"top|3A|-1000px"; within:25; classtype:trojan-activity; sid:29191; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Styx exploit kit outbound jar request"; flow:to_server,established; urilen:15; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-zA-Z]{10}\.jar$/U"; flowbits:set,file.exploit_kit.jar; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29451; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED SERVER-IIS Microsoft Windows Server 2012 IIS OData protocol nested replace filter dos attempt"; flow:to_server,established; content:"replace|28|replace|28|replace|28|replace|28|"; depth:250; nocase; content:"HTTP|2F|"; within:500; nocase; content:"Host|3A|"; nocase; reference:cve,2013-0005; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-007; classtype:attempted-dos; sid:29759; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-PDF Adobe Reader invalid JPEG stream double free attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"/Subtype"; content:"/Widget"; within:20; content:"/AP"; distance:0; content:"/N"; distance:10; content:"/XObject"; reference:bugtraq,64802; reference:cve,2014-0493; reference:url,helpx.adobe.com/security/products/reader/apsb14-01.html; classtype:attempted-user; sid:29834; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Adobe Reader malformed JBIG2 decode segment null pointer crash attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/JBIG2Globals 40 0 R"; fast_pattern:only; reference:bugtraq,62431; reference:cve,2013-3352; reference:url,osvdb.org/show/osvdb/97055; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:29065; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-PDF Adobe Reader malformed JBIG2 decode segment null pointer crash attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"/FlateDecode"; nocase; content:"/JBIG2Globals 41 0 R"; fast_pattern:only; reference:bugtraq,62431; reference:cve,2013-3352; reference:url,osvdb.org/show/osvdb/97055; reference:url,www.adobe.com/support/security/bulletins/apsb13-22.html; classtype:attempted-user; sid:29064; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_server,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|"; depth:11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25379; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-MULTIMEDIA Apple QuickTime Targa image file buffer overflow attempt"; flow:to_client,established; file_data; flowbits:isset,file.tga; content:"|00 00 02 00 00 00 00 00 00 00 00|"; depth:11; content:"|AC 2A E9 03 18 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:bugtraq,56438; reference:cve,2012-3755; reference:url,support.apple.com/kb/HT5581; classtype:attempted-user; sid:25377; rev:4;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED rule"; flow:to_client,established; file_data; content:"asdfasdfasdfsdfhfghdfg"; classtype:misc-activity; sid:30139; rev:4;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer ruby text tag heap-based buffer overflow attempt"; flow:to_server,established; file_data; content:"[\d\D\w\W]{680,1920}<\x2Frt>/smi"; reference:cve,2014-0313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,www.w3schools.com/tags/tag_rt.asp; classtype:attempted-dos; sid:30115; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED BROWSER-IE Microsoft Internet Explorer ruby text tag heap-based buffer overflow attempt"; flow:to_client,established; file_data; content:"[\d\D\w\W]{680,1920}<\x2Frt>/smi"; reference:cve,2014-0313; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-012; reference:url,www.w3schools.com/tags/tag_rt.asp; classtype:attempted-dos; sid:30114; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Stamp exploit kit malicious Adobe Flash file request"; flow:to_server,established; urilen:16<>19; content:".swf"; http_uri; content:"x-flash-version|3A 20|"; http_header; content:"Referer|3A 20|"; http_header; content:".php|0D 0A|"; distance:0; http_header; pcre:"/^\/[a-zA-Z0-9]{13,14}\.swf$/U"; classtype:trojan-activity; sid:30135; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Stamp exploit kit malicious Jar request"; flow:to_server,established; urilen:16<>19; content:".jar"; fast_pattern; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; flowbits:set,file.exploit_kit.jar; classtype:trojan-activity; sid:30136; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC URI request for known malicious URI - ZBot"; flow:to_server,established; content:"/news/?s="; fast_pattern:only; http_uri; pcre:"/news\/\?s=\d{1,6}$/Ui"; reference:url,www.virustotal.com/file-scan/report.html?id=b3e3b3d389d48ae056845b8223402e1d27c8950eadaa7ffecaebeda93af73a03-1304592231; classtype:trojan-activity; sid:18938; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] (msg:"DELETED SERVER-OTHER HP OpenView Network Node Manager freeIPaddrs command injection attempt"; flow:to_server,established; content:"OvCGI/freeIPaddrs.ovpl"; fast_pattern:only; pcre:"/\x3fnetid\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; reference:cve,2005-2773; classtype:attempted-admin; sid:14776; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] (msg:"DELETED SERVER-OTHER HP OpenView Network Node Manger cdpnode command injection attempt"; flow:to_server,established; content:"OvCGI/cdpView.ovpl"; fast_pattern:only; pcre:"/\x3fcdpnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; reference:cve,2005-2773; classtype:attempted-admin; sid:14775; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] (msg:"DELETED SERVER-OTHER HP OpenView Network Node Manger connectedNodes command injection attempt"; flow:to_server,established; content:"OvCGI/connectedNodes.ovpl"; fast_pattern:only; pcre:"/\x3fnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; reference:bugtraq,14662; reference:cve,2005-2773; classtype:attempted-admin; sid:14774; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Goon/Infinity Adobe Flash malicious file request"; flow:to_server,established; content:"/swf.swf"; fast_pattern:only; http_uri; pcre:"/^\/swf\.swf$/U"; classtype:trojan-activity; sid:30318; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit landing page"; flow:to_client,established; file_data; content:"|22|data|3A|image/png|3B|base64|2C|"; fast_pattern:only; reference:url,blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-drive-by-victims/; classtype:trojan-activity; sid:30313; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Edwards packed Javascript tag containing an applet - seen in KaiXin exploit kit"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,"; content:"|7C|applet|7C|"; distance:0; nocase; classtype:trojan-activity; sid:30287; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-IDENTIFY Apple QuickTime Movie file download request"; flow:to_server,established; content:".mov"; fast_pattern:only; http_uri; pcre:"/\x2emov([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.quicktime; flowbits:noalert; classtype:misc-activity; sid:30563; rev:3;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel invalid AxisParent record"; flow:to_client,established; file_data; flowbits:isset,file.xls; file_data; content:"|00 00 00 01 00 00 00 16 00 4F 00 34 10 00 00 80 08 12 00 01 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:cve,2011-1987; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20122; rev:10;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-OFFICE Microsoft Office Excel invalid AxisParent record"; flow:to_client,established; file_data; flowbits:isset,file.xls; file_data; content:"|00 41 10 12 00 00 80 2B 00 00 00 9D 01 00 00 8B 0E 00 00 C4 0D 00 00 33 10 00 00 80 08 14 00 02|"; fast_pattern:only; reference:cve,2011-1987; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-072; classtype:attempted-user; sid:20121; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-OTHER malicious iframe injection redirect attempt"; flow:to_client,established; file_data; content:"-->/si"; classtype:trojan-activity; sid:30324; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"application/x-silverlight-2|22|> $SMTP_SERVERS 25 (msg:"DELETED FILE-FLASH Adobe Flash Player PCRE regexp out of bounds memory leak ASLR bypass attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"RegExp"; nocase; content:"match"; within:130; nocase; pcre:"/RegExp\w?([^\n]*\x28)*?.*?match/smi"; reference:bugtraq,65703; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29984; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player PCRE regexp out of bounds memory leak ASLR bypass attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"RegExp"; nocase; content:"match"; within:130; nocase; pcre:"/RegExp\w?(?:[^\n\x29]*\x28){10}/Oi"; reference:bugtraq,65703; reference:cve,2014-0499; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-07.html; classtype:attempted-user; sid:29983; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Multiple exploit kit outbound font request"; flow:to_server,established; urilen:>36; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\.eot$/U"; classtype:trojan-activity; sid:30974; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit java exploit retrieval attempt"; flow:to_server,established; content:"/?"; depth:13; http_uri; content:"|3B|"; distance:0; http_uri; pcre:"/\x2f\?[a-f0-9]{60,66}/U"; content:"application/x-java-archive"; http_header; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; classtype:trojan-activity; sid:27808; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit flash exploit retrieval attempt"; flow:to_server,established; content:"/?"; depth:13; http_uri; content:"|3B|"; within:7; distance:60; http_uri; pcre:"/\x2f\?[a-f0-9]{60,66}\x3b1\d+\x3b\d{1,3}/U"; content:"x-flash-version|3A|"; http_header; classtype:trojan-activity; sid:27807; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit outbound request by Java"; flow:to_server,established; urilen:>60; content:" Java/1."; fast_pattern; http_header; content:"User-Agent|3A| Mozilla"; http_header; pcre:"/^\/[a-z0-9]+\/\?[a-z0-9]{60,66}[\x3b0-9]/Ui"; classtype:trojan-activity; sid:29442; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request"; flow:to_server,established; urilen:>60; content:" Java/1."; fast_pattern:only; http_header; pcre:"/[\?\/][a-z0-9]{60,66}[\;0-9]/Ui"; flowbits:set,file.exploit_kit.jar; classtype:trojan-activity; sid:31093; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure"; flow:to_server,established; urilen:73<>100; content:"User-Agent|3A|"; http_header; content:"/"; depth:1; offset:8; http_uri; content:"|3B|"; within:2; distance:64; http_uri; content:!"&"; http_uri; pcre:"/^\/[a-z0-9]{7}\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/U"; flowbits:set,file.exploit_kit.pdf&file.exploit_kit.silverlight; classtype:trojan-activity; sid:31092; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Blackholev2 exploit kit redirection embedding detected"; flow:to_client,established; file_data; content:"{ position|3A|absolute|3B| left|3A|-"; content:"px|3B| top|3A|-"; within:25; content:"px}
$EXTERNAL_NET any (msg:"DELETED EXPLOIT-KIT CottonCastle exploit kit encrypted binary download attempt"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31280; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"amor.class"; fast_pattern:only; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26037; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Worm.Win32.Koobface.hy variant outbound connection"; flow:to_server,established; content:"/achcheck.php"; nocase; http_uri; content:"Host|3A| main15052009.com"; fast_pattern:only; http_header; reference:url,www.virustotal.com/file-scan/report.html?id=10947be6b66b128aaaa6c7daa1998c9dc1edf9fb457ffe3c6c316b0f0160691e-1285438589; classtype:trojan-activity; sid:19976; rev:8;) # alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"DELETED FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt"; flow:to_server,established; content:"d|00|w|00|m|00|a|00|p|00|i|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; reference:bugtraq,62836; reference:cve,2013-0733; reference:cve,2013-3485; reference:url,osvdb.org/show/osvdb/96228; reference:url,osvdb.org/show/osvdb/98163; classtype:attempted-user; sid:28838; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED FILE-OTHER Multiple Products dwmapi.dll dll-load exploit attempt"; flow:to_server,established; content:"|2F|dwmapi.dll"; fast_pattern:only; http_uri; reference:bugtraq,62836; reference:cve,2013-0733; reference:cve,2013-3485; reference:url,osvdb.org/show/osvdb/96228; reference:url,osvdb.org/show/osvdb/98163; classtype:attempted-user; sid:28832; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://"; depth:7; content:"|7C|Mozilla/"; fast_pattern:only; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:ruleset community; classtype:trojan-activity; sid:26752; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Harbinger Rootkit Click Fraud HTTP request"; flow:to_server,established; urilen:8; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d\/$/U"; content:!"Accept|3A 20|"; http_header; content:"|3B 20|MSIE|20|"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:27202; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Harbinger Rootkit variant outbound connection"; flow:to_server,established; urilen:7<>11; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d{1,3}\/$/U"; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:28004; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Harbinger Rootkit variant - click fraud task request"; flow:to_server,established; urilen:9; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d\d\/$/U"; content:!"Accept|3A 20|"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:ruleset community; reference:url,virustotal.com/en/file/35bad2a35eac89fa7601cfe7a872d3450bf436b7a3d9100ce66ce2f91376c2ff/analysis/1373030276/; classtype:trojan-activity; sid:28302; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection"; flow:to_server,established; urilen:<21; content:".txt"; nocase; http_uri; content:"User-Agent: Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322|29|"; fast_pattern:only; http_header; reference:url,www.virustotal.com/en/file/c27048cffafadac1630876c76684d7895ea3662e4a28ea1ba53a126bc0ea8d51/analysis/; classtype:trojan-activity; sid:31910; rev:2;) # alert udp $EXTERNAL_NET any -> $HOME_NET [4433,443] (msg:"DELETED SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt"; flow:to_server; content:"|16 FE FF|"; depth:3; byte_test:1,<,20,10,relative; byte_test:3,>,10000,11,relative; reference:bugtraq,67900; reference:cve,2014-0195; reference:url,osvdb.org/show/osvdb/107730; classtype:attempted-admin; sid:31182; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Astrum exploit kit payload request"; flow:to_server,established; urilen:>60,norm; content:". HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; content:!"Content-Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31969; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request"; flow:to_server,established; urilen:>60,norm; content:". HTTP/1."; fast_pattern:only; content:"Referer|3A 20|"; http_header; content:"x-flash-version|3A 20|"; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; flowbits:set,file.exploit_kit.flash; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,helpx.adobe.com/security/products/flash-player/apsb14-13.html; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; reference:url,www.adobe.com/support/security/bulletins/apsb13-04.html; classtype:trojan-activity; sid:31968; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Gong Da Jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"ckwm"; content:".class"; within:15; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27701; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".txt HTTP/1.1|0D 0A|Connection: "; fast_pattern:only; content:!"ppp"; http_uri; content:"Content-Length|3A 20 30|"; http_header; reference:url,www.virustotal.com/en/file/b5636b6846810559c37608528ce4e66aa7e1006d5fd55181d07c795476df4f5e/analysis/1375275447/; classtype:trojan-activity; sid:27566; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"DELETED MALWARE-CNC Win32 Mdmbot.B runtime traffic detected"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; reference:url,www.virustotal.com/latest-report.html?resource=9f880ac607cbd7cdfffa609c5883c708; classtype:trojan-activity; sid:21304; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Gresim variant outbound connection"; flow:to_server,established; content:"/imgres?"; depth:8; http_uri; content:"&imgrefurl=http:"; fast_pattern:only; http_uri; content:"&ved="; http_uri; reference:url,virustotal.com/en/file/ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550/analysis/; classtype:trojan-activity; sid:32284; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit Portable Executable download"; flow:to_server,established; content:"/began/"; depth:7; fast_pattern; http_uri; content:".exe?"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/\/began\/\w*\.exe\?\d+/U"; flowbits:set,file.exploit_kit.pe; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26056; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/began/java/lang/ClassCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26055; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/began/java/lang/ObjectCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26054; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/began/java/lang/ObjectBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26053; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/began/java/lang/ClassBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26052; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious jar file download"; flow:to_server,established; content:"/began/"; depth:7; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26051; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit SWF file download"; flow:to_server,established; content:"/began/"; depth:7; fast_pattern; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/began\/[^\x2f]*\.swf/Ui"; content:"Referer|3A 20|"; http_header; content:"/began/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/began\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26050; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/began/"; depth:7; fast_pattern; http_uri; content:".eot"; distance:0; http_uri; content:"Referer|3A 20|"; http_header; content:"/began/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/began\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26049; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit PDF exploit"; flow:to_server,established; content:"/began/"; depth:7; fast_pattern; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/began/"; distance:0; http_header; pcre:"/\/began\/[^\x2f]*\.pdf/Ui"; flowbits:set,file.exploit_kit.pdf; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26048; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit Portable Executable download"; flow:to_server,established; content:"/world/"; depth:7; fast_pattern; http_uri; content:".exe?"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/\/world\/\w*\.exe\?\d+/U"; flowbits:set,file.exploit_kit.pe; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25968; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/world/java/lang/ClassCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25967; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/world/java/lang/ObjectCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25966; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/world/java/lang/ObjectBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25965; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/world/java/lang/ClassBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25964; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit SWF file download"; flow:to_server,established; content:"/world/"; depth:7; fast_pattern; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/world\/[^\x2f]*\.swf/Ui"; content:"Referer|3A 20|"; http_header; content:"/world/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25963; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/world/"; depth:7; fast_pattern; http_uri; content:".eot"; distance:0; http_uri; content:"Referer|3A 20|"; http_header; content:"/world/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25962; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit Portable Executable download"; flow:to_server,established; content:"/sales/"; depth:7; fast_pattern; http_uri; content:".exe?"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/\/sales\/\w*\.exe\?\d+/U"; flowbits:set,file.exploit_kit.pe; classtype:trojan-activity; sid:25961; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit former location - has been removed"; flow:to_client,established; file_data; content:"ERROR 404 CONTENT"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25960; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/sales/java/lang/ClassCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25959; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/sales/java/lang/ObjectCustomizer.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25958; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/sales/java/lang/ObjectBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25957; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious class file download"; flow:to_server,established; content:"/sales/java/lang/ClassBeanInfo.class"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25956; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious jar file download"; flow:to_server,established; content:"/sales/"; depth:7; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25955; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit SWF file download"; flow:to_server,established; content:"/sales/"; depth:7; fast_pattern; http_uri; content:".swf"; distance:0; nocase; http_uri; pcre:"/\/sales\/[^\x2f]*\.swf/Ui"; content:"Referer|3A 20|"; http_header; content:"/sales/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/sales\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25954; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/sales/"; depth:7; fast_pattern; http_uri; content:".eot"; distance:0; http_uri; content:"Referer|3A 20|"; http_header; content:"/sales/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/sales\//H"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25951; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit PDF exploit"; flow:to_server,established; content:"/sales/"; depth:7; fast_pattern; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/sales/"; distance:0; http_header; pcre:"/\/sales\/[^\x2f]*\d\.pdf/Ui"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25950; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious jar file download"; flow:to_server,established; content:"/world/"; depth:7; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.kar; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25859; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit PDF exploit"; flow:to_server,established; content:"/world/"; depth:7; fast_pattern; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/\/world\/[^\x2f]*\.pdf/Ui"; pcre:"/Referer\x3a[^\x0d\x0a]*\/world\//H"; flowbits:set,file.exploit_kit.pdf; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25857; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/tur/"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/tur\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25598; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/for/"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/for\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25597; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/public/"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/public\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25596; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/tur/"; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/tur\/[^\x2f]*\x2ejar$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25595; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/for/"; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/for\/[^\x2f]*\x2ejar$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25594; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/public/"; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/public\/[^\x2f]*\x2ejar$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25593; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/read/"; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/read\/[^\x2f]*\x2ejar$/smiU"; flowbits:set,file.exploit_kit.jar; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25510; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit pdf exploit retrieval"; flow:to_server,established; content:"/read/"; nocase; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/read/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/read\/[A-Z]+\.[A-Z]+\x0d\x0a/Hi"; pcre:"/\/read\/[^\x2f]*\x2epdf$/smiU"; flowbits:set,file.exploit_kit.pdf; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25509; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/article"; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/articles?\/[^\x2f]*\x2ejar$/smiU"; flowbits:set,file.exploit_kit.jar; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25508; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit pdf exploit retrieval"; flow:to_server,established; content:"/article"; nocase; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/article"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/articles?\/[A-Z]+\.[A-Z]+\x0d\x0a/Hi"; pcre:"/\/articles?\/[^\x2f]*\x2epdf$/smiU"; flowbits:set,file.exploit_kit.pdf; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25507; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/read/"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/read\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25506; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/article"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/articles?\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25505; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit pdf payload detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"evrewrwervwe"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26510; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"(window[|22|qgq|22|](new Array("; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26507; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit jar file redirection"; flow:to_client,established; file_data; content:""; within:10; distance:1; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26506; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit malicious jar download"; flow:to_client,established; file_data; content:"MyApplet$MyBufferedImage.class"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26256; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code="; content:"Applet|22|><"; distance:0; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26254; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit MyApplet class retrieval"; flow:to_server,established; urilen:21; content:"/world/MyApplet.class"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26229; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit redirection page"; flow:to_client,established; file_data; content:".jar|22| code=|22|MyApplet"; content:"|22|><"; distance:0; pcre:"/code\=\x22MyApplet(\.class)?\x22><\/applet/"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26228; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page "; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit redirection structure"; flow:to_client,established; file_data; content:""; within:100; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26047; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page"; flow:to_client,established; file_data; content:"
|0D 0A|"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25953; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page"; flow:to_client,established; file_data; content:"try{document.body++|3B|}catch(q){"; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:25952; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/contact"; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/contacts?\/[^\x2f]*\x2ejar$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25328; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit pdf exploit retrieval"; flow:to_server,established; content:"/contacts/"; nocase; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/contacts/"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/contacts\/[A-Z]+\.[A-Z]+\x0d\x0a/Hi"; pcre:"/\/contacts\/[^\x2f]*\x2epdf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25327; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit java exploit retrieval"; flow:to_server,established; content:"/new"; fast_pattern; nocase; http_uri; content:".jar"; distance:0; nocase; http_uri; content:" Java/1."; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; pcre:"/\/news?\/[^\x2f]*\x2ejar$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25326; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit pdf exploit retrieval"; flow:to_server,established; content:"/new"; nocase; http_uri; content:".pdf"; distance:0; nocase; http_uri; content:"Referer|3A 20|"; http_header; content:"/new"; distance:0; http_header; pcre:"/Referer\x3a[^\x0d\x0a]*\/news?\/[A-Z]+\.[A-Z]+\x0d\x0a/Hi"; pcre:"/\/news?\/[^\x2f]*\x2epdf$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25325; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page detected"; flow:to_client,established; file_data; content:"
"; within:45; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25324; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/new"; depth:4; http_uri; content:".EOT"; distance:0; http_uri; pcre:"/^\/news?\/[A-Z\x2d]+\x2eEOT$/mU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25323; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit EOT file download"; flow:to_server,established; content:"/contact"; http_uri; content:".eot"; distance:0; nocase; http_uri; pcre:"/\/contacts?\/[^\x2f]*\x2eeot$/smiU"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; classtype:trojan-activity; sid:25322; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit 32-bit font file download"; flow:to_server,established; content:"/32s_font.eot"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25056; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit 64-bit font file download"; flow:to_server,established; content:"/64s_font.eot"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25055; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit requesting payload"; flow:to_server,established; content:"/f.php?k="; fast_pattern:only; http_uri; pcre:"/\/f\.php\?k=\d/U"; flowbits:set,file.exploit_kit.pe; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:25045; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit 64-bit font file download"; flow:to_server,established; content:"/64size_font.eot"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24784; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit 32-bit font file download"; flow:to_server,established; content:"/32size_font.eot"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24783; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit outbound request"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24782; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit outbound request"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/10/newcoolek.html; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24781; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit - PDF Exploit"; flow:to_server,established; content:"/pdf_old.php"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24780; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit - PDF Exploit"; flow:to_server,established; content:"/pdf_new.php"; fast_pattern:only; http_uri; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24779; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Cool exploit kit landing page - Title"; flow:to_client,established; file_data; content:"Hello my friend..."; fast_pattern:only; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html; classtype:trojan-activity; sid:24778; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [972] (msg:"DELETED EXPLOIT-KIT Cool exploit kit jar file retrieved on non-standard port"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1"; http_header; content:"|3A|972|0D 0A|"; http_header; pcre:"/Host\x3a\x20[^\s]*\x3a972/H"; flowbits:set,file.exploit_kit.jar; classtype:misc-activity; sid:27780; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [801] (msg:"DELETED EXPLOIT-KIT Cool exploit kit jar file retrieved on non-standard port"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1"; http_header; content:"|3A|801|0D 0A|"; http_header; pcre:"/Host\x3a\x20[^\s]*\x3a801/H"; flowbits:set,file.exploit_kit.jar; classtype:misc-activity; sid:27779; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [36] (msg:"DELETED EXPLOIT-KIT Cool exploit kit jar file retrieved on non-standard port"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1"; http_header; content:"|3A|36|0D 0A|"; http_header; pcre:"/Host\x3a\x20[^\s]*\x3a36/H"; flowbits:set,file.exploit_kit.jar; classtype:misc-activity; sid:27778; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"chr1 = (enc1 << 2) |7C| (enc2 >> 4)|3B|"; content:"chr3 = ((enc3 & 3) << (3+3)) |7C| enc4|3B|"; within:200; flowbits:set,file.exploit_kit.jar; classtype:trojan-activity; sid:27777; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [36,801,972] (msg:"DELETED EXPLOIT-KIT Cool exploit kit portable executable download on non-standard port"; flow:to_server,established; content:".txt?e="; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.txt\?e=\d+$/Ui"; classtype:misc-activity; sid:27776; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED EXPLOIT-KIT Cool exploit kit redirection outbound attempt"; flow:to_server,established; urilen:17; content:"/index.php?p="; fast_pattern:only; http_uri; pcre:"/^\/index\.php\?p=\d{4}$/U"; flowbits:set,file.exploit_kit.jar; flowbits:noalert; classtype:trojan-activity; sid:28200; rev:3;) # alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"DELETED deleted stuff that was pulled etc"; flow:to_server; content:"dfasdfrwwrgahdfgdgergqergqghg"; classtype:attempted-admin; sid:32480; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED hrt67yu467e56yeher6ywe5rtw45y356yert"; flow:to_server,established; content:"eyery456745yteheyeryery"; classtype:misc-attack; sid:32520; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED asdfasdfwefasfadfadfa"; flow:to_server,established; content:"asdfasdfasdfasdfasdfdfggghshfghdh"; fast_pattern:only; classtype:misc-attack; sid:32507; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED er56ye56747356yet7je5rtstfur6ysfdtytfh"; flow:to_server,established; content:"retuy356735567356h3etyhw45tyq456y2565uwtfhstfh"; classtype:attempted-user; sid:32445; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED 456yhdhetu467ue5rtywr6u37uw5rgwtdhst"; flow:to_client,established; content:"rethertyh47356yw5ryqw34512eywr5ywtys"; classtype:attempted-user; sid:32444; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"DELETED OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03 00|"; depth:3; content:"|10|"; within:1; distance:2; byte_extract:3,0,client_keyx_len,relative; byte_test:1,>,client_keyx_len,0,relative; reference:cve,2014-6321; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-066; classtype:attempted-admin; sid:32418; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 11 08|"; content:"|03 01|"; within:2; distance:4; content:"|FF DA 00 0C 03|"; within:500; content:!"|03|"; within:1; distance:4; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32597; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player malformed third component in color JPEG information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 11 08|"; content:"|03 01|"; within:2; distance:4; content:"|FF DA 00 0C 03|"; within:500; content:!"|03|"; within:1; distance:4; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32596; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 11 08|"; content:"|03 01|"; within:2; distance:4; content:"|FF DA 00 0C 03|"; within:500; content:!"|02|"; within:1; distance:2; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32595; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player malformed second component in color JPEG information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 11 08|"; content:"|03 01|"; within:2; distance:4; content:"|FF DA 00 0C 03|"; within:500; content:!"|02|"; within:1; distance:2; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32594; rev:2;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 0B 08|"; content:"|01 01|"; within:2; distance:4; content:"|FF DA 00 08 01|"; within:500; content:!"|01|"; within:1; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32591; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED FILE-FLASH Adobe Flash Player malformed greyscale JPEG information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF C0 00 0B 08|"; content:"|01 01|"; within:2; distance:4; content:"|FF DA 00 08 01|"; within:500; content:!"|01|"; within:1; reference:bugtraq,69701; reference:cve,2014-0557; classtype:attempted-user; sid:32590; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:ruleset community; reference:url,www.virustotal.com/en/file/b4d4e5ca72c0c5905bb3a4ed3ad51ee7202901887522d6899b5f48f8ef6f3dcd/analysis/; classtype:trojan-activity; sid:32531; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; content:"|3B 20|filename|3D|"; nocase; http_header; content:".jar"; within:4; distance:8; nocase; http_header; pcre:"/filename\x3d\w{8}\.jar/iH"; file_data; content:"PK|03 04|"; depth:4; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:5;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt"; flow:to_server,established; file_data; content:"|41 47 4E 49|"; depth:4; content:"HEAD"; distance:0; content:"ETSKPWPL"; distance:0; byte_test:2,>,0x38,55,relative,little; reference:bugtraq,71191; reference:cve,2014-8386; reference:url,osvdb.org/show/osvdb/114843; classtype:attempted-user; sid:32906; rev:2;) # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"DELETED PROTOCOL-SCADA Advantech ADAMView display properties remote code execution attempt"; flow:to_client,established; file_data; content:"|41 47 4E 49|"; depth:4; content:"HEAD"; distance:0; content:"ETSKPWPL"; distance:0; byte_test:2,>,0x38,55,relative,little; reference:bugtraq,71191; reference:cve,2014-8386; reference:url,osvdb.org/show/osvdb/114843; classtype:attempted-user; sid:32905; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Redkit exploit kit redirection"; flow:to_client,established; file_data; content:"